Mechanism and apparatus for security of newly spawned repository spaces in a distributed computing environment

ABSTRACT

A system and method for providing security for newly spawned spaces in a distributed computing environment. A client may access a first space service. The creation of a second space may be requested, such as by the client sending an appropriate request to an interface of the first space. In one embodiment, the first space and second space may share a common storage model, storage facility, and/or XML schema. The second space may initially be configured to permit access only to the requesting client. In one embodiment, a root authentication token is created for the second space. An authentication service associated with the second space may be initialized, whereby the second space is configured to permit access only to a client holding the root authentication token. The root authentication token may be sent to the requesting client or service. The requesting client may send the root authentication token to a second client. The second client may then access the second space by sending to the second space at least one of the messages specified in the second schema along with the root authentication token. The requesting client may also modify the initially configured security policy of the second space such that the second space is configured to permit access to other clients.

PRIORITY INFORMATION

This application claims benefit of priority to the following provisionalapplications, each of which is hereby incorporated by reference in itsentirety:

-   -   Ser. No. 60/202,975 filed May 9, 2000 titled Distributed        Computing Environment;    -   Ser. No. 60/208,011 filed May 26, 2000 titled Distributed        Computing Environment;    -   Ser. No. 60/209,430 filed Jun. 2, 2000 titled Distributed        Computing Environment;    -   Ser. No. 60/209,140 filed Jun. 2, 2000 titled Distributed        Computing Environment; and    -   Ser. No. 60/209,525 filed Jun. 5, 2000 titled Distributed        Computing Environment.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to distributed computing environments includingWeb-centric and Internet-centric distributed computing environments, andmore particularly to a heterogeneous distributed computing environmentbased upon a message passing model for connecting network clients andservices.

2. Description of the Related Art

Intelligent devices are becoming more and more common. Such devicesrange from smart appliances, personal digital assistants (PDAs), cellphones, lap top computers, desktop computers, workstations, mainframes;even, super computers. Networks are also becoming an increasingly commonway to interconnect intelligent devices so that they may communicatewith one another. However, there may be large differences in thecomputing power and storage capabilities of various intelligent devices.Devices with more limited capabilities may be referred to as smallfootprint devices or “thin” devices. Thin devices may not be able toparticipate in networks interconnecting more capable devices. However,it may still be desirable to interconnect a wide variety of differenttypes of intelligent devices.

The desire to improve networking capabilities is ever increasing.Business networks are expanding to include direct interaction withsuppliers and customers. Cellular phones, personal digital assistantsand Internet-enabled computers are commonplace in both business and thehome. Home networks are available for interconnecting audio/visualequipment such as televisions and stereo equipment to home computers,and other devices to control intelligent systems such as securitysystems and temperature control thermostats. High bandwidth mediums suchas cable and ASDL enable improved services such as Internet access videoon demand, e-commerce, etc. Network systems are becoming pervasive. Evenwithout a formal network, it is still desirable for intelligent devicesto be able to communicate with each other and share resources.

Currently, traditional networks are complex to set up, expand andmanage. For example, adding hardware or software to a network oftenrequires a network administrator to load drivers and configure systems.Making small changes to a network configuration may require that theentire network be brought down for a period of time. Also, certainintelligent devices may not support the necessary interfaces tocommunicate on a given network.

What is needed is a simple way to connect various types of intelligentdevices to allow for communication and sharing of resources whileavoiding the interoperability and complex configuration problemsexisting in conventional networks. Various technologies exist forimproving the addition of devices to a network. For example, many modernI/O buses, such as the Universal Serial Bus, 1394 and PCI, support plugand play or dynamic discovery protocols to simplify the addition of anew device on the bus. However, these solutions are limited to specificperipheral buses and are not suitable for general networks.

A more recent technology, Jini from Sun Microsystems, Inc., seeks tosimplify the connection and sharing of devices such as printers and diskdrives on a network. A device that incorporates Jini may announce itselfto the network, may provide some details about its capabilities, and mayimmediately become accessible to other devices on the network. Jiniallows for distributed computing where the capabilities of the variousdevices are shared on a network. The Jini technology seeks to enableusers to share services and resources over a network. Another goal ofthe Jini technology is to provide users with easy access to resourcesanywhere on the network while allowing the network location of the userto change. Jini also seeks to simplify the task of building, maintainingand altering a network of devices, software and users.

Jini requires that each Jini enabled device has a certain amount ofmemory and processing power. Typically, a Jini enabled device isequipped with a Java Virtual Machine (JVM). Thus, Jini systems are Javatechnology centered. Java is a high level object oriented programminglanguage developed by Sun Microsystems, Inc. Java source code may becompiled into a format called bytecode, which may then be executed by aJava Virtual Machine. Since Java Virtual Machines may be provided formost computing platforms, Java and thus Jini provide for a certainamount of platform independence. The Jini architecture leverages off theassumption that the Java programming language is the implementationlanguage for the components of the Jini system. The ability todynamically download and run Java code is central to many features ofthe Jini architecture.

The purpose of the Jini architecture is to federate groups of devicesand software components into a single dynamic distributed system. A keyconcept within the Jini architecture is that of a service. A service isan entity that can be used by a person, a program, or another service.Two examples of services are printing a document and translating fromone word processor format to another. Jini allows the members of a Jinisystem to share access to services. Services in a Jini systemcommunicate with each other by using a service protocol, which is a setof interfaces written in the Java programming language. Services arefound and resolved in a Jini system by a look-up service. A look-upservice maps interfaces indicating the functionality provided by aservice to sets of objects that implement the service.

Descriptive entries may also be associated with a service. Devices andapplications use a process known as discovery to register with the Jininetwork. Once registered, the device or application places itself in thelook-up service. The look-up service may store not only pointers tothese services on the network, but also may store the code for accessingthese services. For example, when a printer registers with the look-upservice, it loads its printer driver and/or an interface to the driverinto the look-up service. When a client wants to use the printer, thedriver and driver interface get downloaded from the look-up service tothe client. This code mobility means that clients can take advantage ofservices from the network without pre-installing or loading drivers orother software.

Communication between services in a Jini system is accomplished usingthe Java Remote Method Invocation (RMI). RMI is a Java programminglanguage enabled extension to traditional remote procedure callmechanisms. RMI allows not only data to be passed from object to objectaround the Jini network, but full objects including code as well. Jinisystems depend upon this ability to move code around the network in aform that is encapsulated as a Java object.

Access to services in a Jini system is lease based. A lease is a grantof guaranteed access over a time. Each lease is negotiated between theuser of the service and the provider of the service as part of theservice protocol. A service may be requested for some period and accessmay be granted for some period presumably considering the requestperiod. Leases must be renewed for a service to remain part of the Jinisystem.

FIG. 1 illustrates the basic Jini technology stack. The Jini technologydefines a distributed programming model 12 (supported by JavaSpaces,leases, and object templates). Object communication in Jini is based onan RMI layer 14 over a TCP/IP capable networking layer 16.

Jini is a promising technology for simplifying distributed computing.However, for certain types of devices, Jini may not be appropriate. Thecomputing landscape is moving toward a distributed, Web-centric serviceand content model where the composition of client services and contentchanges rapidly. The client of the future may be a companion type devicethat users take with them wherever they go. Such a device may be acombination of a cell phone and a PDA for example. It would be desirablefor such devices to be able to communicate and share resources with morepowerful devices as well as thinner or less powerful devices.

Also, with the advent of the Internet and resulting explosion of devicesconnected to the net, a distributed programming model designed toleverage this phenomenon is needed. An enabling technology is neededthat facilitates clients connecting to services in a reliable and securefashion. Various clients from thick to thin and services need to beconnected over the Internet, corporate Internets, or even within singlecomputers. It is desirable to abstract the distance, latency andimplementation from both clients and services.

The key challenge for distributed computing technology is to be scalablefrom powerful thick clients down to very thin clients such as embeddedmobile devices. Current distributed computing technologies, such asJini, may not be scalable enough for the needs of all types of clients.Some devices, such as small footprint devices or embedded devices, maylack sufficient memory resources and/or lack sufficient networkingbandwidth to participate satisfactorily in current distributed computingtechnologies. The low end of the client spectrum, including embeddedmobile devices, often have limited or fixed code execution environments.These devices also may have minimal or no persistent storagecapabilities. Most small, embedded mobile devices do not support a JavaVirtual Machine. Most code-capable small clients run native code only.Also, most small devices have little more than flash memory or batterybacked RAM as their sole persistent storage media. The size of thestorage is often very small and sometimes read-only in nature.Furthermore, the access time of this type of storage media is often anorder of magnitude greater than hard disk access time in more powerfulclients.

Existing connection technologies, such as Jini, may not be as scalableas desired because they are too big. For example, Jini requires that allparticipants support Java; however, many small clients may not have theresources for a Java Virtual Machine. Furthermore, due to its use ofRMI, Jini requires that clients be able to download code and content.Jini may augment the existing client platform by downloading newclasses, which may pose security and size concerns for small devicessuch as embedded devices. Jini works by clients and resourcescommunicating by passing code and data. When a client activates a Jiniservice, the service may return its results to the client, which mayinclude a large amount of code or content. In Jini, a client may call amethod and a large object may be returned, and thus downloaded. Theclient may not have the resource to accept the returned object. Also,RMI and Java itself require a lot of memory. Many small foot printdevices may not have the resources to participate effectively or at allin current distributed computing technologies.

Another concern with existing distributed computing technologies is thatthey often require certain levels of connection capability andprotocols. For example, Jini assumes the existence of a network ofreasonable speed for connecting computers and devices. Jini alsorequires devices to support TCP/IP network transport protocol. However,many smaller devices may have limited connection capabilities. Smalldevices may have high latency or low speed network connections and maynot support TCP/IP.

As mentioned above, Jini requires devices to support Java and thusinclude a Java Virtual Machine, which requires a certain amount ofprocessing and storage capabilities that might not be present for manysmall devices. This also restricts the flexibility of Jini in thatnon-Java devices may not directly participate in a Jini system. SinceJini requires Java, it may be deemed a homogenous environment. However,it is desirable to have a distributed computing facility forheterogeneous distributed computing that scales from extremely smallembedded devices through PDA's and cell phones to laptops and beyondeven to the most powerful computers.

Other heterogeneous solutions exist, such as the Common Object RequestBroker Architecture (CORBA). CORBA is an architecture that enablesprogram objects to communicate with one another regardless of theprogramming language they were written in or what operating systemthey're running on. However, CORBA does not address all of theconnection issues that are addressed by Jini. Also, CORBA suffers fromsimilar scalability problems as Jini.

Technology such as Jini and CORBA use a code-centric programming modelto define the interface between remote components. A code-centricprogramming model defines programmatic interfaces or API's forcommunication between remote clients or components. The API's may bedefined in a particular programming language. The API's must be agreedto by all software components to ensure proper interoperability. Sinceall access to components is through the use of these standards API's,the code that implements these API's must be present in the clientplatform. The code may be statically linked into the platform ordynamically downloaded when needed. Many embedded or mobile devicessimply cannot accept code dynamically from a network due to the qualitycontrol issues involved as well as the reliance on a single language andprogram execution environment. Data-centric models, such as networkingprotocols, may avoid the dependence on moving code; however, suchprotocols are not rich enough to easily provide for distributedcomputing and they also lack the ease of programming with code and otherprogramming features, such as type safety.

Conventional distributed computing systems rely on the ability of aprogram executing on a first device to be able to remotely call aprogram on a second device and have the results returned to the firstdevice. The Remote Procedure Call (RPC) is a basic mechanism forremotely calling a program or procedure. CORBA and Jini are both basedon the ability to remotely invoke program methods. However,communicating by passing code or objects, such as in Jini or CORBA, maybe somewhat complex. For example, as mentioned above, Jini uses the JavaRemote Method Invocation (RMI) to communicate between services. In orderfor a client to move Java objects to and from remote locations, somemeans of serialization/deserialization is needed. Such currentfacilities in the Java Development Kit (JDK) rely upon the reflectionAPI to determine the content of a Java object, and ultimately that codemust consult the Virtual Machine. This code is quite large andinefficient.

The fundamental problems with the current method for doingserialization/deserialization include its size, speed, and objecttraversal model. Code outside the JVM does not know the structure orgraph of a Java object and thus must traverse the object graph, pullingit apart, and ultimately must call upon the JVM. Traditionalserialization and reflection mechanisms for storing and moving Javaobjects are just not practical for all types of devices, especiallythinner devices. Some of the difficulties with Java reflection andserialization are that an object's graph (an object's transitiveclosure) reflection is difficult to do outside the JVM. Serialization istoo large, requiring a large amount of code. Also, serialization is aJava specific object interchange format and thus may not be used withnon-Java devices.

The Jini distributed computing model requires the movement of Javaobjects between Java devices. Thus, the serialization mechanism itselfis not platform independent since it may not be used by non-Javaplatforms to send and receive objects. Serialization is a homogenousobject format—it only works on Java platforms. Serialization uses thereflection API and may be limited by security concerns, which often mustbe addressed using native JVM dependent methods. The reflection API mayprovide a graph of objects, but is inefficient due to the number ofcalls between the JVM and the code calling the reflection methods.

The use of Java reflection to serialize an object requires anapplication to ping pong in and out of the JVM to pick apart an objectone field at a time as the transitive closure of the object isdynamically analyzed. Deserializing an object using Java deserializationrequires the application to work closely with the JVM to reconstitutethe object one field at a time as the transitive closure of the objectis dynamically analyzed. Thus, Java serialization/deserialization isslow and cumbersome while also requiring large amounts of applicationand JVM code as well as persistent storage space.

Even for thin clients that do support Java, the Jini RMI may not bepractical for thin clients with minimal memory footprints and minimalbandwidth. The serialization associated with the Jini RMI is slow, big,requires the JVM reflection API, and is a Java specific objectrepresentation. Java deserialization is also slow, big and requires aserialized-object parser. Even Java based thin clients may not be ableto accept huge Java objects (along with needed classes) being returned(necessarily) across the network to the client as required in Jini. Amore scalable distributed computing mechanism is needed. It may bedesirable for a more scalable distributed computing mechanism to addresssecurity concerns and be expandable to allow for the passing of objects,such as Java objects, and even to allow for process migration from onenetwork mode to another.

Object based distributed computing systems need persistent storage.However, as discussed above, attempts at object storage are oftenlanguage and operating system specific. In addition, these objectstorage systems are too complicated to be used with many small, embeddedsystems. For example, the Jini technology uses JavaSpaces as persistentobject containers. However, a JavaSpace can only store Java objects andcannot be implemented in small devices. Each object in a JavaSpace isserialized and pays the above-described penalties associated with Javaserialization. It may be desirable to have a heterogeneous objectrepository for distributed computing that may scale from small to largedevices.

JavaSpaces from Sun Microsystems, Inc., draws from the parallelprocessing work of David Gelernter, a computer science professor at YaleUniversity. Gelernter's set of functions named “Linda” create a sharedmemory space called a TupleSpace, in which results of a computer'sprocesses or the processes themselves may be stored for access bymultiple CPUs. Linda therefore provides a global shared memory formultiple processors.

Another technology which extends Linda is TSpaces from IBM Corporation.TSpaces extends the basic Linda TupleSpace framework with real datamanagement and the ability to download new datatypes and new semanticfunctionality. TSpaces provides a set of network communication buffersand a set of APIs for accessing those buffers. Like many of thesolutions discussed above, TSpaces therefore uses a code-centricprogramming model and shares the drawbacks of such a model.Additionally, TSpaces is implemented in the Java programming languageand therefore requires a Java Virtual Machine or other means ofexecuting Java bytecode, such as a Java-capable microprocessor.Therefore, TSpaces may be inappropriate for small-footprint deviceswhich cannot devote sufficient resources for executing Java bytecode.

It is desirable in object oriented distributed systems to be able tolocate object repositories and find particular objects within thoserepositories. As mentioned above, the Jini look-up server may not bepractical for small devices with small memory footprints. A moreefficient mechanism for locating object stores may be desirable.

Distributed object access also desires a fair and efficient sharingmechanism. As described above Jini currently uses a leasing mechanism toshare objects. However, Jini leases are time based which may result in anumber of problems. For example, the current object holder might have noidea how long to lease an object and may hold it too long. Also, the useof time-based leases may require that time be synchronized betweenmultiple machines. Moreover time based leasing may require operatingsystem support. Also, Jini leases are established and released via RMI.Thus, the Jini leasing mechanism suffers from the above-noted problemswith using RMI. Other leasing mechanisms may be desirable.

Generally speaking, it is desirable for small memory foot print mobileclient devices to be able to run a variety of services, both legacy andnew, in a distributed environment. The types of small clients mayinclude cell phones and PDA's with a variety of different networkinginterfaces, typically low bandwidth. Often these devices have very smalldisplays with limited graphics, but they could include laptops andnotebook computers, which may have a larger display and moresophisticated graphics capabilities. The services may be a wide range ofapplications as well as control programs for devices such as printers.It is desirable for a mobile client to be able to use these serviceswherever they may be.

A mobile client will often be at a temporary dynamic network address, sonetworking messages it sends cannot be routed beyond that networkinginterface (otherwise there may be collisions when two different clientson different networks have the same dynamic address). Mobile clientsoften do not have the capability for a full function browser or othersophisticated software. The displays may limit the client from runningcertain applications. Traditional application models are based onpredetermined user interface or data characteristics. Any change to theapplication requires recompilation of the application.

It may be desirable for such clients to have a mechanism for finding andinvoking distributed applications or services. The client may need to beable to run even large legacy applications which could not possibly fitin the client's memory footprint. As discussed above, currenttechnology, such as Jini, may not be practical for small footprintdevices. The pervasiveness of mobile thin clients may also raiseadditional needs. For example, it may be desirable to locate servicesbased on the physical location of the user and his mobile client. Forexample, information about the services in a local vicinity may be veryhelpful, such as local restaurants, weather, traffic maps and movieinfo.

Similarly, information about computing resources, such as printers in aparticular location, may be helpful. Current technologies do not providean automatic mechanism for locating services based on physical locationof the client. Another need raised by thin mobile clients is that ofaddressing the human factor. Thin mobile clients typically do notcontain ergonomic keyboards and monitors. The provision of such humanfactor services and/or the ability to locate such services in adistributed computing environment may be desirable.

SUMMARY OF THE INVENTION

The problems outlined above are in large part solved by variousembodiments of a system and method for interaction and access to sharedcontent among clients and services within a distributed computingenvironment. A distributed computing environment may rely on “spaces” orobject repositories to provide a rendezvous mechanism or catalyst forthe interaction between clients and services. Service providers mayadvertise services in a space. Clients may find the advertisements in aspace and use the information from an advertisement to access a serviceusing an XML (eXtensible Markup Language) messaging mechanism of thedistributed computing environment. Many spaces may exist, eachcontaining XML advertisements that describe services or content. Thus, aspace may be a repository of XML advertisements of services and/or XMLdata, which may be raw data or advertisements for data, such as results.

In one embodiment, a space itself is a service. Like any service, aspace has an advertisement, which a client of the space must firstobtain in order to be able to run that space service. A space's ownadvertisement may include an XML schema, a credential or credentials,and a URI (Uniform Resource Identifier) which indicate how to access thespace. A client may construct a gate from a space service'sadvertisement in order to access the space. A client of a space mayitself be a service provider seeking to advertise in that space ormodify an existing advertisement. Or a client of a space may be anapplication seeking to access a service or content listed by the space.Thus, spaces may provide catalysts for the interaction between clientsand services in the distributed computing environment.

A space may include a collection of named advertisements. A space may becreated with a single root advertisement that describes the spaceitself. Additional advertisements may be added to a space. Anadvertisement's name may locate the advertisement within the space,including specifying any necessary graphing information such as ahierarchy of names. In a preferred embodiment, the structure of a spaceis not dictated by the distributed computing environment. That is,spaces may be structured as, for example, a flat un-related set ofadvertisements or a graph of related advertisements (e.g. commercialdatabase). Since, in a preferred embodiment, the distributed computingenvironment does not dictate how a space actually stores its content,spaces may be supported by small to large devices. For example, a simplespace may be tailored to fit on small devices, such as PDAs. Moreadvanced spaces may be implemented on large severs employing largecommercial databases.

As mentioned above, a space may contain advertisements for services inthe distributed computing environment. An advertisement may provide amechanism for addressing and accessing services and/or content withinthe distributed computing environment. An advertisement may specify aURI for a service. In some embodiments, the URI may allow for theservice to be accessible over the Internet. An advertisement may alsoinclude an XML schema for the service. The XML schema may specify a setof messages that clients of the service may send to the service toinvoke functionality of the service. The XML schema may define theclient-service interface. Together, the URI and the XML specified in anadvertisement may indicate how to address and access the service. Boththe URI and schema may be provided in XML as an advertisement in aspace. Thus, a mechanism for addressing and accessing a service in adistributed computing environment may be published as an advertisementin a space. Clients may discover a space and then lookup individualadvertisement for services or content. Spaces and all advertisementswithin a space may be addressed using URIs. In one embodiment, space andadvertisement names may follow URL (Uniform Resource Locator) namingconventions. The use of URIs, e.g. URLs, for addressing spaces may allowspaces to be addressable throughout the Internet, in some embodiments.

Once a client of a space finds the advertisement of a space service,that client of the space may run the space service, as it would anyother service. Note that the client of the space service may be anotherservice (e.g. a service seeking to advertise in the space). In oneembodiment, to run a space service, the client of the space may firstrun an authentication service for the space to obtain an authenticationtoken. The authentication service may be specified in the serviceadvertisement of the space service. The client of the space uses theauthentication token, the XML schema of the space (from space's serviceadvertisement), and the URI of the space (from space's serviceadvertisement) to construct a gate for the space. The client of thespace may then run the space service by using the gate to send messagesto the space service.

For embodiments employing authentication, when the space servicereceives the first message from the client, with the authenticationtoken embedded, the space service uses the same authentication service(specified in the service advertisement of the space service) toauthenticate the client, thus establishing its identity. The spaceservice may determine the client's capabilities and bind them to theauthentication token.

A client of a space may run various space facilities by sending messagesto the space service. In one embodiment, when a client of a space sendsa request to the space service, it passes its authentication token inthat request, so the space service can check the request against theclient's specific capabilities.

Each space is typically a service and may have an XML schema definingthe core functionality of the space service. The XML schema may specifythe client interface to the space service. In one embodiment, all spaceservices may provide a base-level of space-related messages. Thebase-level space functionality may be the basic space functionality thatis capable of being used by most clients, including small devices suchas PDAs. It may be desirable to provide for additional functionality,e.g. for more advanced clients. Extensions to the base-level space maybe accomplished by adding more messages to the XML schema thatadvertises the space. For example, in one embodiment, the base-levelmessages do not impose any relationship graph upon the advertisements.Messages, for example, to traverse a hierarchy of advertisements may bea space extension. Providing such additional functionality may be doneby providing one or more extended XML space schemas or schema extensionsfor a space. The extended schemas may include the base schema so thatclients of an extended space may still access the space as a base space.

In one embodiment, a space may provide a facility for a client toinstantiate a service advertised in the space. Service instantiation isthe initialization done that allows a client to be able to run aservice. To instantiate a service, a client may first select one of theservice advertisements published in the space. The client may use thevarious facilities, such as the look up facility, provided by the spaceto look up the various advertisements in the space. Then the client mayrequest the space to instantiate the service.

In one embodiment, service instantiation may include the followingactions. After the client requests the space service to instantiate theselected service, the space service may then verify the client isallowed to instantiate the requested service. The space service mayperform this verification by examining the an authentication tokenincluded in the clients message. The authentication token is thecredential the client received when it established a session with thespace service. The space service may verify if the client is allowed toinstantiate the requested service according to the client'sauthentication token and capabilities indicated for that client.

Assuming the client is authorized, the space service may also obtain alease on the service advertisement for the client with the lease requesttime specified by the client. The space service may then send a messageto the client which includes the allocated lease and the serviceadvertisement of the service. In one embodiment, the client may run anauthentication service specified in the service advertisement and obtainan authentication token. Next, the client may construct a gate for theservice (for example, using the authentication token and the XML schemaand service URI from the advertisement). The above describedcommunication between the client and space service is performed usingthe XML messaging of the distributed computing environment. The clientmay then run the service using the constructed gate and XML messaging.The service may similarly construct a service gate for XML messagecommunication with the client.

An example use of a space is discussed as follows. A client may access(i.e., connect to) a space service. (A service may act as a client forthe purpose of accessing or otherwise using a space.) The space servicemay store one or more service advertisements and/or other content in aspace, and each of the service advertisements may include informationwhich is usable to access and execute a corresponding service. The spaceservice may include a schema which specifies one or more messages usableto invoke functions of the space service. For example, the schema mayspecify methods for reading advertisements from the space and publishingadvertisements in the space. The schema and service advertisements maybe expressed in an object representation language such as eXtensibleMarkup Language (XML). In accessing the space service, the client maysend information such as an XML message (as specified in the schema) tothe space service at an Internet address. In accessing the spaceservice, the client may search the one or more service advertisementsstored in the space. The client may select one of the serviceadvertisements from the space. In one embodiment, the client may send aninstantiation request to the space after selecting the desired serviceadvertisements from the space. A lease may be obtained for the desiredservice, and the lease and the selected service advertisement may besent by the space service to the client. The client may then construct agate for access to the desired service. The desired service may beexecuted on behalf of the client.

Another facility provided by a space service may be the spawning orcreation of an empty space. This space facility may allow a client(which may be a service to another client) to dynamically create a newspace. In one embodiment, this space facility may include an interfacefor spawning an empty space with the same functionality (same XML schemaor extended schema) as the space from which it is spawned. In otherembodiments, the schema of the spawned space may be a portion of theschema of the parent space, or the spawned space may have a differentschema altogether, as specified at the time of its creation. Thisfacility may be useful for generating (e.g. dynamically) spaces forresults. For example, a client may spawn a space and request that aservice place results or advertise results in the spawned space. Theclient may pass the spawned space URI and/or authentication credentialto the service. Or a service may spawn a space for results and pass thespawned space URI and/or authentication credential to the client. Insome embodiments, once a space is spawned, it may be discovered justlike other spaces using one or more of the space discovery mechanismsdescribed herein.

In one embodiment, a client may access (e.g., connect to) a first spaceservice. (A service may act as a client for the purpose of accessing orotherwise using a space.) The first space service may store one or moreservice advertisements and/or other content in a first space, and eachof the service advertisements may include information which is usable toaccess and execute a corresponding service. The first space service mayinclude a first schema which specifies one or more messages usable toinvoke functions of the first space service. For example, the firstschema may specify methods for reading advertisements from the firstspace and publishing advertisements in the first space. The first schemaand service advertisements may be expressed in an object representationlanguage such as eXtensible Markup Language (XML). In accessing thefirst space service, the client may send information such as an XMLmessage (as specified in the first schema) to the first space service ata first Internet address (e.g., URI). In accessing the first spaceservice, the client may search the one or more service advertisementsstored in the first space.

The creation of a second space may be requested, such as by the clientsending an appropriate request to an interface of the first space. Inresponse, a second space service with a second space may be created,such as at a second Internet address (e.g., URI). As above, the secondspace service may include a second schema which specifies one or moremessages usable to invoke functions of the second space service. Thesecond schema may include at least the first schema, and the secondschema may include additional functionality as well The client may thenaccess the second space by sending to the second space at least one ofthe messages specified in the second schema.

By using a mechanism in which a space may be created via an interface inanother space (e.g. a space spawning facility), new spaces may becreated efficiently. For example, in one embodiment, storage for thespawned space may be allocated using the same facility used by theoriginal space for storage. In one embodiment, the first space may storea first set of information, such as XML advertisements or other content,according to a particular storage model. Upon its creation, the secondspace is operable to store a second set of information according to thesame storage model. Also, a spawned space may share a common servicefacility with its original (or parent) space. For example, a new URI maybe assigned to the new space. In one embodiment, the new URI may be aredirection to a common space facility shared with the original space.Thus, a newly spawned space may use the same or some of the same servicecode as that of the original code. In other words, the first spaceservice may include a set of program instructions which arecomputer-executable to provide the first space. The second space servicemay include substantially the same set of program instructions, whereinthe set of program instructions are further computer-executable toprovide the second space.

In one embodiment, a new space may be spawned in a substantially securemanner. A client (including a service acting as a client of a spaceservice) which requests creation of the space may be referred to as therequesting client. The second space may initially be configured topermit access only to the requesting client. In one embodiment, a rootauthentication token is created for the second space. An authenticationservice associated with the second space may be initialized, whereby thesecond space is configured to permit access only to a client holding theroot authentication token. The root authentication token may be sent tothe requesting client or service. The requesting client may then accessthe second space by sending to the second space at least one of themessages specified in the second schema and by using the rootauthentication token.

In one embodiment, therefore, when a requester has spawned a space, onlythe requestor may be allowed to access the spawned space. For example,the spawned space may be for storing results from a service that theclient needs to keep secured. In one embodiment, this security may beensured by:

-   -   Creating an initial root authentication token, and initializing        the authentication service of the spawned space, so that the        authentication service only authenticates the root        authentication token, and so that it returns no other        authentication tokens (no other clients of the spawned space        allowed initially).    -   Initializing the security policies of the spawned space so that        the root identity associated with the root authentication token        has access to all facilities of the space, including the        security administration facilities.    -   Returning the root authentication token and the service        advertisement of the spawned space to the requester of the        spawned space.

The requester may build a gate to access the spawned space, since it isreturned the authentication credential and the service advertisement ofthe spawned space. In one embodiment, only the requestor and clients orservices that the requestor passes the authentication credential and thespawned space's service advertisement may access the spawned space. Suchlimiting of access to the spawned space may be useful when a client andservice are using that spawned space to store results, for example, ifthe client and service desire to keep the results private.

In one embodiment, the requesting client may send the rootauthentication token to a second client (including a service acting as aclient of the space service). The second client may then access thesecond space by sending to the second space at least one of the messagesspecified in the second schema along with the root authentication token.

After running a service, the client may change the authenticationpolicies of the spawned space using a security administration spacefacility, and other clients or services may then access the spawnedspace. The other clients may then have access to the second spaceservice, so that, for example, the other clients may read serviceadvertisements from the second space. In addition, the spawned space'sservice advertisement may be made available to other clients of thespawned space (the other clients may be services) using the discoveryprotocol or other means.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an illustration of a conventional distributed computingtechnology stack;

FIG. 2 is an illustration of a distributed computing environmentprogramming model according to one embodiment;

FIG. 3 is an illustration of messaging and networking layers for adistributed computing environment according to one embodiment;

FIG. 4 is an illustration of a discovery service for finding spacesadvertising objects or services in a distributed computing environmentaccording to one embodiment;

FIG. 5 illustrates client profiles supporting static and formattedmessages for a distributed computing environment according to oneembodiment;

FIG. 6 is an illustration of a distributed computing model employing XMLmessaging according to one embodiment;

FIG. 7 illustrates a platform independent distributing computingenvironment according to one embodiment;

FIG. 8 is an illustration of a distributed computing model in whichservices are advertised in spaces according to one embodiment;

FIG. 9 is an illustration of a distributed computing model in whichresults are stored in spaces according to one embodiment;

FIG. 10 a is an illustration of client and service gates as messagingendpoints in a distributed computing model according to one embodiment;

FIG. 10 b is an illustration a message endpoint generation according toa schema for accessing a service according to one embodiment.

FIG. 11 a illustrates gate creation in a distributed computingenvironment according to one embodiment;

FIG. 11 b illustrates gate creation and gate pairs in a distributedcomputing environment according to one embodiment;

FIG. 12 is an illustration of possible gate components in a distributedcomputing environment according to one embodiment;

FIG. 13 is an illustration of proxy client for a conventional browser toparticipate in the distributed computing environment according to oneembodiment;

FIG. 14 illustrates the use of a method gate to provide a remote methodinvocation interface to a service in a distributed computing environmentaccording to one embodiment;

FIG. 15 is an illustration of the use of a space in a distributedcomputing environment according to one embodiment;

FIG. 16 illustrates advertisement structure according to one embodiment;

FIG. 17 illustrates one example of advertisement state transitions thatan advertisement may undergo during its lifetime according to oneembodiment;

FIG. 18 is an illustration various space location mechanisms in adistributed computing environment according to one embodiment;

FIG. 19 is an illustration of space federations in a distributedcomputing environment according to one embodiment;

FIG. 20 is a flow diagram illustrating client formation of a sessionwith a space service in a distributed computing environment according toone embodiment;

FIG. 21 is an illustration of a space event type hierarchy for oneembodiment;

FIG. 22 is a flow diagram illustrating service instantiation in adistributed computing environment according to one embodiment;

FIG. 23 is an illustration of a default space in a distributed computingenvironment according to one embodiment;

FIG. 24 illustrates an example of a device bridging proximity-baseddevices onto another transport mechanism to allow the services providedby the proximity-based devices to be accessed by devices outside theproximity range of the devices, according to one embodiment;

FIG. 25 is an illustration of the use of lease renewal messages in adistributed computing environment according to one embodiment;

FIG. 26 a is a flow diagram illustrating an authentication serviceproviding an authentication credential to a client according to oneembodiment;

FIG. 26 b is a flow diagram expanding on step 1002 of FIG. 26 a andillustrating an authentication service generating an authenticationcredential according to one embodiment;

FIG. 27 illustrates one embodiment of a bridging mechanism;

FIG. 28 illustrates an example of a space discovery protocol mapped toan external discovery service according to one embodiment;

FIG. 29 illustrates bridging a client external to the distributedcomputing environment to a space in the distributed computingenvironment according to one embodiment;

FIG. 30 is an illustration of a proxy mechanism according to oneembodiment;

FIG. 31 illustrates one embodiment of a client with an associateddisplay and display service according to one embodiment;

FIGS. 32A and 32B illustrate examples of using schemas of dynamicdisplay objects according to one embodiment;

FIG. 33A illustrates a typical string representation in the Cprogramming language;

FIG. 33B illustrates an example of a conventional string function;

FIG. 33C illustrates an efficient method for representing and managingstrings in general, and in small footprint systems such as embeddedsystems in particular according to one embodiment;

FIG. 34 illustrates a process of moving objects between a client and aservice according to one embodiment;

FIGS. 35 a and 35 b are data flow diagrams illustrating embodimentswhere a virtual machine (e.g. JVM) includes extensions for compilingobjects (e.g. Java Objects) into XML representations of the objects, andfor decompiling XML representations of (Java) objects into (Java)objects;

FIG. 36 illustrates a client and a service accessing store mechanisms inthe distributed computing environment, according to one embodiment;

FIG. 37 illustrates process migration using an XML representation of thestate of a process, according to one embodiment;

FIG. 38 illustrates a mobile client device accessing spaces in a localdistributed computing network, according to one embodiment;

FIG. 39 a illustrates a user of a mobile device discovering the locationof docking stations, according to one embodiment;

FIG. 39 b illustrates a mobile client device connecting to a dockingstation, according to one embodiment;

FIG. 40 a illustrates an embodiment of embedded devices controlled by acontrol system and accessible within the distributed computingenvironment, according to one embodiment;

FIG. 40 b illustrates a device control system connected via a network(e.g. the Internet) to embedded devices accessible within thedistributed computing environment, according to one embodiment;

FIG. 41 is a flow diagram illustrating the spawning of a new space in adistributed computing environment according to one embodiment; and

FIG. 42 is a flow diagram illustrating the secure spawning of a newspace in a distributed computing environment according to oneembodiment.

While the invention is susceptible to various modifications andalternative forms, specific embodiments thereof are shown by way ofexample in the drawings and will herein be described in detail. Itshould be understood, however, that the drawings and detaileddescription thereto are not intended to limit the invention to theparticular form disclosed, but on the contrary, the intention is tocover all modifications, equivalents and alternatives falling within thespirit and scope of the present invention.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

Overview of Embodiments for Distributed Computing

Turning now to FIG. 2, a distributed computing environment programmingmodel is illustrated. The model includes API layer 102 for facilitatingdistributed computing. The API layer 102 provides an interface thatfacilitates clients connecting to services. The API layer 102 isconcerned with the discovery of and the connecting of clients andservices. The API layer 102 provides send message and receive messagecapabilities. This messaging API may provide an interface for simplemessages in a representation data or meta-data format, such as in theextensible Mark-up Language (XML). Note that while embodiments aredescribed herein employing XML, other meta-data type languages orformats may be used in alternate embodiments. In some embodiments, theAPI layer may also provide an interface for messages to communicatebetween objects or pass objects, such as Java objects. API's may beprovided to discover an object repository or “space”, find a particularobject, claim and release an object, and write or take an object to orfrom the object repository. Objects accessible through API layer 102 maybe represented by a representation data format, such as XML. Thus, anXML representation of an object may be manipulated, as opposed to theobject itself.

API layer 102 sits on top of a messaging layer 104. The messaging layer104 is based on a representation data format, such as XML. In oneembodiment, XML messages are generated by messaging layer 104 accordingto calls to the API layer 102. The messaging layer 104 may providedefined static messages that may be sent between clients and services.Messaging layer 104 may also provide for dynamically generated messages.In one embodiment, an object, such as a Java object, may be dynamicallyconverted into an XML representation. The messaging layer 104 may thensend the XML object representation as a message. Conversely, themessaging layer 104 may receive an XML representation of an object. Theobject may then be reconstituted from that message.

In one embodiment, messages sent by messaging layer 104 may includeseveral basic elements, such as an address, authentication credentials,security tokens, and a message body. The message system transmission andreceive mechanisms may be completely stateless. Any notion of state maybe embedded in the message stream between sender and receiver. Thus,message transmission may be done asynchronously. In a preferredembodiment, no connection model is imposed. Thus, transports such as TCPare not required. Also, error conditions may be limited to non-deliveryor security exceptions.

Messaging layer 104 sits on top of a message capable networking layer106. In a preferred embodiment, messaging layer 104 does not requirethat a particular networking protocol be used. TCP/IP and UDP/IP areexamples of message capable protocols that may be used for messagecapable networking layer 106. However, other more specialized protocolssuch as the Wireless Application Protocol (WAP) may also be used. Otherpossible message protocols are IrDA and Bluetooth network driversbeneath the transport layer. Networking layer 106 is not limited to asingle reliable connection protocol, such as TCP/IP. Therefore,connection to a larger variety of devices is possible.

In one embodiment, message capable network layer 106 may be implementedfrom the networking classes provided by the Java2 Micro Edition (J2ME)platform. The Java2 Micro Edition platform may be suitable for smallerfootprint devices that do not have the resources for a full Javaplatform or in which it would not be efficient to run a full Javaplatform. Since J2ME already provides a message capable family ofnetworking protocols (to support sockets), it follows that for the smallfootprint cost of adding messaging layer 104, distributing computingfacilities may be provided for small devices that already include J2ME.

Message capable networking layer 106 may also be provided by the JavaDevelopment Kit's (JDK) java.net networking classes. Alternatively, anymessage capable networking facilities may be used for message capablenetworking layer 106. In a preferred embodiment, a reliable transport isnot required, thus embedded devices supporting an unreliable data gramtransport such as UDP/IP may still support the messaging layer.

Thus, thin clients may participate in a distributed computingenvironment by simply adding a thin messaging layer 104 above a basicnetworking protocol stack. As shown in FIG. 3, a basic system includesmessaging layer 104 on top of a networking layer 106. The networkinglayer may provide for reliable messages, e.g. TCP, or unreliablemessages, e.g. UDP. The Internet Protocol (IP) is shown in FIG. 3 as anexample of protocol that may be used in networking layer 106. However,the distributed computing environment does not require IP. Otherprotocols may be used in the distributed computing environment besidesIP. A network driver such as for Ethernet, Token Ring, Bluetooth, etc.may also be part of the networking layer. Many small clients alreadyprovide a network driver and transport protocol such as UDP/IP. Thus,with the addition of the thin XML based messaging layer, the device mayparticipate in the distributed computing environment.

Thus, the foundation for the distributed computing environment is asimple message passing layer implemented on top of reliable connectionand/or unreliable data grams. The messaging technology is very differentfrom communications technologies employed in other distributioncomputing systems, such as Jini which employs the Java remote methodinvocation (RMI). The message passing layer 104 supports anasynchronous, stateless style of distributed programming, instead of thesynchronous, state-full style predicated by RMI. Moreover, messagepassing layer 104 is based on a data representation language such as XMLand thus copies data, but not code, from source to destination, unlikeRMI. By using a representation data language, such as XML, messaginglayer 104 may interoperate with non-Java and non-Jini platforms in aseamless fashion because Java code is not assumed on the sending orreceiving end of a message. Moreover, unlike RMI, messaging layer 104does not require a reliable transport mechanism such as TCP/IP.

The message passing layer may provide simple send( ) and receive( )methods to send a message specified as an array or string of bytes, forexample. The send( ) method may return immediately, performing the datatransfer asynchronously. For flow control purposes a callback method maybe supplied which is invoked in the event that the send( ) method throwsan exception indicating it cannot handle the send( ) request. Thereceive( ) method may be synchronous and may return the next availablemessage.

The message passing layer may also provide methods for storing XMLrepresentations of objects, services and content in “spaces”. A space isnamed and accessed on the network using an URI (Uniform ResourceIdentifier). The URI may be a URL (Uniform Resource Locator) or asimpler version of a URL. In some embodiments, the URL class may be toolarge. For such embodiments a simpler resource locator may be used thatspecifies the protocol for moving the messages between client andserver, protocol dependent host ID, protocol dependent port ID, and aspace name.

An XML representation of an object may be added to a space using awrite( ) method provided by the messaging layer. In one embodiment, theobject and the client-specified name may be supplied as parameters. Inone embodiment, the write method may translate the object into its XMLrepresentation. A take( ) method may be provided to return the objectand remove it from the space. A find( ) method may be provided to returna specified object from its XML representation in a space. The find( )method may also be used to return an array of matching objects in aspace given a class.

Each of these space methods is implemented using the message-passinglayer. A lease mechanism may also be provided, as described in moredetail below.

A discovery service may be provided for clients as a general searchfacility that may be used by a client to locate a particular space.Rather than attempt to define a complicated search protocol which maynot be feasible for a thin client to implement, the discovery servicemay offload the actual search to XML-based search facilities, leavingthe discovery service simply to provide interface functionality to theclient. The approach is illustrated in FIG. 4. In one embodiment, thediscovery service receives a string specifying something to locate, andit sends an XML message to a known discovery front-end (perhaps found ina default space), which then parses the string and makes a correspondingXML query to a search facility (which may be an internet searchfacility). The discovery front-end may parse what it obtains from thesearch facility and repackage it as an array of strings (each string maybe a URI for each found space) which it may send in an XML message tothe client. It should be noted that the discovery service does notrequire that the messaging be atop a connection-oriented transport.Thus, even very thin clients that do not have TCP could use such adiscovery service. The discovery front-end makes it possible for theclient to discover spaces without a browser or search facility on theclient. The client only needs a simple facility that sends a string thatspecifies keywords to the front-end, which interfaces with a searchfacility.

A client may be any platform that can send a message using at least asubset of the API and messaging layers. In one embodiment the API layermay provide for both static (or raw) and formatted (or cooked) messages.A server may be any platform capable of receiving and fulfilling messagerequests. An explicit raw message send may be provided that moves aseries of bytes from a client to a server or to another client. Themessage type may be specified as reliable (e.g. TCP) or unreliable (e.g.UDP). The smallest of devices may use raw unreliable message passing astheir sole means of participation in the distributed computingenvironment. The device may use these messages to announce its presenceand its status. Such small devices may also receive raw messages toimplement certain functions, such as turning a feature on or off.

Message-based services such as spaces may send and receive reliableformatted messages. A space message may be formatted with a well-definedheader and with XML. In one embodiment, a formatted message send mayoccur when a client uses a space method to claim, write, or take objectsfrom a space. The message contents may be dynamically formatted in XMLand contain well-defined headers. FIG. 5 illustrates client profilessupporting formatted and static messages. By using static messages,small devices may use a smaller profile of code to participate in thedistributed computing environment. For example, a small device couldjust send basic pre-defined messages. Depending on the client, thestatic pre-defined messages may consume a small amount of memory (e.g.<200 bytes). Static messages may also be an option even for largerdevices. On the other hand, the dynamic XML messages may be useful whenobject values are not known at compile time.

Turning now to FIG. 6, a distributed computing model is illustrated thatcombines a messaging system with XML messages and XML objectrepresentation. The platform independence of XML may be leveraged sothat the system may provide for a heterogeneous distributed computingenvironment. Thus, client 110 may be implemented on almost any platforminstead of a particular platform like Java. The messaging system may beimplemented on any network capable messaging layer, such as Internetprotocols (e.g. TCP/IP or UDP/IP). Thus, the computing environment maybe distributed over the Internet. In one embodiment, the messagingsystem may also use shared memory as a quick interprocess messagepassing mechanism when the client and/or space server and/or service areon the same computer system. The distributed computing model of FIG. 6may also be very scalable because almost any size client can beconfigured to send and/or receive XML messages.

As shown in FIG. 6, two kinds of software programs may run in thedistributed computing model: services 112 and clients 110. Services 112may advertise their capabilities to clients wishing to use the service.The services 112 may advertise their capabilities in spaces 114. Asillustrated in FIG. 7, clients 110 and services 112 may or may notreside within the same network device. For example, devices 120 and 124each support one client, whereas service 112 a and client 110 b areimplemented in the same device 122. Also, as illustrated in FIG. 7, noparticular platform is required for the devices to support the clientsand services. For example, device 120 is Java based, whereas device 124provides a native code runtime environment.

A device may be a networking transport addressable unit. Example devicesinclude, but by no means are limited to: PDAs, cellular/mobile phones,notebook computers, laptops, desktop computers, more powerful computersystems, even supercomputers. Both clients and services may beURI-addressable instances of software (or firmware) that run on devices.Using the distributed computing environment architecture, a client mayrun a service. A space is a service that manages a repository of XMLdocuments. Even though it is redundant, the term, space service, may beused herein for readability. A software component may be both a clientand service at different times. For example, when a service uses a space(e.g. to advertise itself), that service is a client of the space.

FIG. 8 illustrates the basic model of the distributed computingenvironment in one embodiment. The distributed computing environment mayconnect clients 110 to services 112 throughout a network. The networkmay be a wide area network such as the Internet. The network may also bea combination of networks such as a local area network (LAN) connectedto a wireless network over the Internet. As shown in FIG. 8, a service112 publishes an advertisement 132 for itself (represented in XML) in aspace 114. The advertisement 132 specifies the service's XML schema andURI address. Then, a client 110 may look up the advertisement 132. Theclient 110 may use the advertisement 132 to instantiate a gate 130. Thegate 130 allows the client 110 to run the service 112, by sending (andreceiving) XML messages to (and from) the service 112.

Some results of running a service may be returned to the client in anXML message. However, since other results may be too large for a smallclient to receive and consume at once, a service 112 may put thoseresults or an XML representation of the results 134 in a space 114, asshown in FIG. 9, and return them by reference (in an XML message) to theclient 110, rather than by value. Examples of methods of returning areference to results include, but are not limited to: returning in themessage a URI referencing the results in a space, and: returning in themessage an XML document including the URI of the results. Later, theclient 110 may access the results, or pass them by reference to anotherservice. The space in which results may be stored may be different fromthe space in which the service is advertised.

In one embodiment, the distributed computing environment uses XML forcontent definition, advertisement and description. New content for thedistributed computing environment (messages and advertisements forexample) are defined in XML. Existing content types (e.g. developed forother environments) may also be described using XML as a level ofindirection (meta-data). XML provides a powerful means of representingdata throughout a distributed system because, similar to the way thatJava provides universal code, XML provides universal data. XML islanguage agnostic and is self-describing. The XML content may bestrongly typed and validated using schemas. Using a provided XML schema,the system may ensure that only valid XML content is passed in amessage. XML content may also be translated, into other content typessuch as HTML and WML. Thus, clients that do not understand XML may stilluse the distributed computing environment services.

In one embodiment, the distributed computing environment messages maydefine the protocol used to connect clients with services, and toaddress content in spaces and stores. The use of messages to define aprotocol allows many different kinds of devices to participate in theprotocol. Each device may be free to implement the protocol in a mannerbest suited to its abilities and role. For example, not all devices arecapable of supporting a Java runtime environment. The distributedcomputing environment protocol definition does not require nor imply theuse of Java on a device. Nor does it preclude it.

A service's capabilities may be expressed in terms of the messages theservice accepts. A service's message set may be defined using an XMLschema. An XML message schema defines each message format using XMLtyped tags. The tag usage rules may also be defined in the schema. Themessage schema may be a component of an XML advertisement along with theservice's message endpoint used to receive messages. The distributedcomputing environment may allow clients to use all or some subset of aservice's capabilities. Security policies may be employed to enforce theset of capabilities given to a client. For example, once a set ofcapabilities has been given to a client, the client may not change thatset without proper authorization. This model of capability definitionallows for services levels that range from a base set of capabilities toan extended set. Extensions may be added to services by adding to thenumber of recognized messages.

In one embodiment, all operations in the distributed computingenvironment are embodied as XML messages sent between clients andservices. Storage (both transient and persistent) providers are examplesof services that enable clients and services to store, advertise, andaddress content. Clients and services may find each other and brokercontent using a transient storage space. Services may place a content orservice advertisement in a space. The advertisement may describe thecontent type or the capabilities of the service. Clients maysubsequently browse spaces looking for advertisements that match adesired set of capabilities. When a client finds a matchingadvertisement, a communication channel may be established which mayenable bi-directional message passing to the service backing theadvertisement. In one embodiment, the communication channel isauthenticated. Results (which are just another content type) fromservice operations may be returned directly to the client in a responsemessage, advertised and stored in a space, or advertised in a space, butstored persistently. Stored results may be addressed using a URI (e.g.returned in the response message) and may have an associatedauthentication credential.

Message Gates

As discussed above, the distributed computing environment leverages offthe use of a data description language, such as XML. XML may be used todescribe a target entity (e.g. document, service, or client) to anextent such that code may be generated to access that entity. Thegenerated code for accessing the target entity may be referred to as amessage gate. Thus, in one embodiment, the distributed computingenvironment differs from other distributed computing environments inthat instead of passing the necessary code between objects necessary toaccess the other object, the environment provides access to XMLdescriptions of an object or target so that code may be generated basedon the XML description to access the target. The distributed computingenvironment may use an XML schema to ensure type safety as well as aprogramming model (e.g. supported messages) without having to agree uponlanguage specific APIs, just XML schemas.

Code generated from an XML schema may also incorporate the language,security, type safety, and execution environment characteristics of thelocal platform. The local platform may thus have control over thegenerated code to ensure that it is bug-free and produces only validdata according to the schema. The generated code may conform to theclient's code execution environment (e.g. Java, C++, Smalltalk), as wellas its management and security framework (Web-server and/or operatingsystem).

Note that the distributed computing environment does not require thatcode generated from an XML schema be generated “on the fly” at runtime.Instead, some or all of the code may be pre-generated for categories (orclasses) of services, and then linked-in during the platform buildprocess. Pre-generation of code may be useful for some clients, such asembedded devices, where certain XML schemas are already known. In oneembodiment, some or all of the code doesn't actually have to begenerated at all. A private code-loading scheme (within the client)might be used in one embodiment to augment the generation process. Inaddition, the distributed computing environment may specify, in someembodiments, an interface to download code for additional features inaccessing a service (see, e.g., message conductors described below).Typically, such downloaded code may be small and the client may have theoption to download the code or not.

The phrase “generated code” may refer to code that originates within theclient under the control of the client code execution environment, or tocode that is generated elsewhere (such as on the service system or on aspace service system) and that may be downloaded to the client systemafter generation. Binding time, however, may be at runtime. At runtime,the generated code may be bound to a service address (URI), so that amessage may be sent to that service instance.

As discussed above, the interface to any service in the distributedcomputing environment may be specified by an XML schema, defining theset of messages that a client may send (and receive from) that service.As illustrated in FIG. 10, the client 110 and service 112 may eachconstruct a message gate 130 for communicating according to thespecified XML schema. From the XML schema advertised for the service 112(and possibly other information in the service advertisement), a messagegate 130 a or 130 b may be constructed by the client 110 a or 110 brespectively. A corresponding message gate 130 c generated from the sameXML schema may also exist on the service 112 a. A gate 130 is a messageendpoint that may send and/or receive type-safe XML messages, and thatmay verify the type correctness of XML messages when sending and/orreceiving the messages. The message gate may also provide forauthentication and/or other security mechanisms to ensure that themessage endpoint is secure. In one embodiment, message gates are alwayssecure.

The distributed computing environment messaging layer described abovemay be coupled to or may be part of the gate. The messaging layerasynchronously delivers an ordered sequence of bytes, using a networkingtransport, from the sender to the receiver, maintaining the notion onboth the sender and receiver that this sequence of bytes is one atomicunit, the message. The distributed computing environment does not assumethat the networking transport is IP-based. Instead, the messaging layermay sit atop whatever networking transport layer is supported by thedevice.

Message gates may provide a mechanism to send and receive XML messagesbetween clients and services. The XML messages may be “typed”. Forexample, the messages may include tags to indicate if a message datafield is, e.g., integer, floating point, text data, etc. A message gatemay be constructed to verify the type correctness of messages sent orreceived. A message gate also may authenticate (e.g. securely identify)the sender of a received message. An XML schema may be provided for aservice that describes the set of messages accepted by the serviceand/or sent by the service. A message gate may verify the correctness ofmessages sent or received according to the XML schema for which the gateis constructed.

A gate may be constructed as a single atomic unit of code and data thatperforms type verification and/or message correctness verificationand/or sender identification for messages between a client and a servicein the distributed computing environment. In one embodiment, once theatomic unit of code and data for a message gate has been created, itcannot be altered as to its typing, message descriptors, and senderidentification. In another embodiment, the gate may be modified as tothe contents of the message schema after the gate is created, includingdeleting, adding, or modifying messages in the message schema.

A message gate is the message endpoint for a client or service in thedistributed computing environment. A message gate may provide a securemessage endpoint that sends and receives type-safe XML messages.Messages gates may allow clients and services to exchange XML messagesin a secure and reliable fashion over any suitable message transport(e.g. HTTP). For a client, a message gate may represent the authority touse some or all of a service's capabilities. Each capability may beexpressed in terms of a message that may be sent to a service. Each suchmessage may be sent through a client message gate which may verify thecorrectness of the message. The message may be received by a servicemessage gate which may authenticate the message and verify itscorrectness.

A message gate may provide a secure communication endpoint that typechecks XML messages. As further discussed below, a message gate may alsoprovide a mechanism to restrict the message flow between clients andservices. In one embodiment when a client desires to access a service, aclient and service message gate pair is created, if not alreadyexisting. In one embodiment, the service message gate may be createdwhen the service receives a first message from the client message gate.In one embodiment, one or more service message gates may be created whenthe service is initialized, and may be used to pair with client messagegates when created. The creation of a message gate may involve anauthentication service that may negotiate the desired level of securityand the set of messages that may be passed between client and service.In one embodiment, the authentication service may accept a client IDtoken (also referred to as a client token), a service ID token (alsoreferred to as a service token), and a data representation languagemessage schema that describes the set of data representation languagemessages that may be sent to or received from the service. For example,messages may be described that may be sent from a client to a service toinvoke the service or to invoke aspects of the service. Messages mayalso be described that are to be sent from the service, such as responsemessages and event notification messages. Refer to the Authenticationand Security section below for a further discussion of how theauthentication service may be used in the construction and use ofmessage gates.

A client message gate and a service message gate pair may allow messagesto be sent between the client and the service. In one embodiment,message gates may be created that only send and/or receive a subset ofthe total set of messages as described in the message schema for aservice. This limited access may be used within the distributedcomputing environment to implement a policy of least privilege wherebyclients are only given access to specific individual message types,based on a security policy. Refer to the Authentication and Securitysection below for a further discussion of security checks for gate usageand gate creation.

Client and service gates may perform the actual sending (and receiving)of the messages from the client to the service, using the protocolspecified in the service advertisement (URI of service in the serviceadvertisement). The client may run the service via this message passing.A message gate may provide a level of abstraction between a client and aservice. A client may access a service object through a message gateinstead of accessing the service object directly. Since the gateabstracts the service from the client, the service's code may not needto be loaded, and then started, until the client first uses the service.

The client gate may also perform verification of the message against theXML schema, or verification of the message against the XML schema may beperformed by the service gate, e.g. if the client indicates it has notyet been verified. In some embodiments, verification may not bepractical for simple clients and may thus not be required at the client.In some embodiments, verification may be performed by the service. Thegates may also perform authentication enablement and/or securityschemes. In one embodiment, if a client does not support the protocolspecified in the service advertisement, then it may not be able toconstruct the right gate. To avoid this problem, service advertisements(used for gate construction) may include a list of possible URIs for aservice, so a variety of clients may be supported.

A basic message gate may implement an API to send and receive messages.The API moves data (e.g. XML messages) in and out of the gate,validating messages before sending and/or upon receiving. In oneembodiment, message gates may support a fixed minimum API to send andreceive messages. This API may be extended to other features asdiscussed below. As illustrated in FIG. 10 b, a gate 130 may begenerated according to an XML schema 132. The generated gate codeverifies messages based upon the XML schema. The gate may verify correctmessage types and/or content through the message API. As illustrated inFIG. 10 b, through the message API a verified message may be sent to aservice. The message may be received by a corresponding gate at theservice. In response to the message, the service may generate results180. The service may return result data 182 through its gate. Theresults data may be the results themselves or a reference to theresults, such as a URI to results stored in a space. In variousembodiments, the message API may support synchronous messages(request-response), asynchronous messages (response is disconnected fromrequest), unicast messages (point to point), multi-cast messages(broadcast), and publish and subscribe (event messages), for example.Other type of messages may also be supported, such as remote methodinvocation messages.

Each message sent by a gate may include an authentication credential sothat the receiving gate may authenticate the message. Each message mayalso include a token which includes information allowing the receivinggate to verify that the message has not been compromised or altered. Forexample, the sender may compute a hash or checksum of the message whichmay be verified by the receiver. The sender may also encrypt this tokenand/or the entire message using the sender's private key and may includein the encrypted message the corresponding public key so that thereceiver may verify that the token was not changed. See the sectionbelow on Authentication and Security.

A pair of message gates may provide a mechanism for communicatingrequests from clients to services and response from services to clients.Two associated message gate endpoints may be used to create a secureatomic bi-directional message channel for request-response messagepassing. Thus, the distributed computing environment may employ amessage transport in which a message gate exists on both the client andthe service sides. The two gates may work together to provide a secureand reliable message channel.

Turning now to FIG. 11 a, an illustration is provided for one embodimentshowing construction of a gate 130 a in a client 110 from a serviceadvertisement or other service description 132. The client may have agate factory 140 that is trusted code on the client for generating gatesbased on XML service descriptions. The use of the gate factory 140 mayensure that the gate it generates is also trusted code, and that thecode is correct with respect to the service advertisement. As shown inFIG. 11 b, a gate 130 c may also be constructed at a service 112. Theclient gate 130 a and the service gate 130 c provide message endpointsfor communications between the client and service. In one embodiment,the pieces the gate factory needs to construct a gate 130 are the XMLschema of the service (from the service advertisement) and the URI ofthe service (from the service advertisement). In another embodiment, anauthentication credential may also be obtained and used in gateconstruction by running an authentication service specified in theservice advertisement.

A gate factory may provide a trusted mechanism to create message gates.In some embodiments, in order to ensure that a message gate is a trustedmessage endpoint, the code used to create the gate must be trusted code.A gate factory 140 may be a trusted package of code that is used tocreate gates. In one embodiment, each client and service device platformthat desires to send and receive messages in the distributed computingenvironment may have a gate factory. In some embodiments, gates may bepre-constructed by a separate gate factory so that a device withpre-constructed gates may not need a full gate factory, or may include apartial gate factory for binding a service URI and/or an authenticationcredential to the pre-constructed gate at runtime (e.g. when messagingis desired).

A gate factory for a device may generate gate code that may incorporatethe language, security, type safety, and/or execution environmentcharacteristics of the local device platform. By constructing gatesitself, a device has the ability to ensure that the generated gate codeis bug-free, produces only valid data, and provides type-safety. Anadvantage of a device generating its own gate code as opposed todownloading code for accessing a service is that the client codemanagement environment has the control. The generated code may conformto the client's code execution environment (e.g. Java, C++, Smalltalk),as well as its management and security framework (Web-server and/oroperating system). Generated code is also trusted code, because theclient's runtime environment was involved in its creation. Trustedsecurity information therefore may also be added by the trustedgenerated code. Thus, a device may receive an XML message schema for aservice and then construct a gate based on that schema to access thedevice. The XML schema may be viewed as defining the contract with theservice and the generated gate code as providing a secure way to executethe contract. Note that open devices, in which un-trusted (e.g.downloaded) code may be run, may be configured so that gates may begenerated only by trusted code. Open devices may employ a process modelin which gates are enclosed in a protected, isolated code container thatis not accessible to tools, such as debuggers, capable of discoveringthe gate's implementation, especially the gates authenticationcredential.

A gate factory 140 may negotiate on behalf of a client with a service tocreate a gate to send messages to the service. Similarly, a gate may beconstructed at the service to receive messages from the client gate andsend messages to the client gate. Together, the client and service gatesmay form a secure bi-directional communication channel.

A gate factory may provide a level of abstraction in gate creation. Forexample, when a client desires to use a service, instead of the clientdirectly creating a gate to access the service, the gate may be createdby a gate factory as part of instantiating the service.

The gate factory may create or may include its own trusted message gatethat is used to communicate with an authentication service (e.g.specified by a service advertisement) to receive an authenticationcredential for the gate being constructed. For services that do notrestrict access, a gate may be constructed without an authenticationcredential. The gates for such services may not need to send anauthentication credential with each message since the service does notrestrict access. The authentication service is an example of a servicethat does not restrict access, in one embodiment. Thus, a gate factorymay be configured to optimize gate construction by checking whether aservice restricts access. If the service does not restrict access, thenthe gate factory may avoid running an authentication service as part ofgate construction and may avoid included provisions for anauthentication credential as part of the constructed gate. The gatefactory may also receive or download an XML message schema (e.g.specified by a service advertisement) to create a gate matching thatschema. The gate factory may also receive or download a URI for theservice and/or for a service message gate for use in creating the clientmessage gate to communicate with the URI.

In addition, another gate construction optimization may be employed forcertain clients that do not desire to perform checking of messagesagainst a service's XML schema. The client may be too thin to performthe checking or may rely on the service gate to perform the checking ormay simply choose not to perform the checking (e.g. to reduce gatememory footprint). The gate factory may be configured to receive anindication of whether or not a gate should be constructed to verifymessages against the provided XML schema. In some embodiments, certainclients may have a gate factory that does not provide for messageverification against a schema for its constructed gates. In someembodiments, gates may be pre-constructed not to verify messages. Insome embodiments, a gate may be constructed to verify outgoing messagesonly, or verify received messages only. Thus, in some embodiments, aclient may avoid or may chose to avoid building some or all of the gatecode that checks the messages against the XML schema.

In some embodiments, devices may maintain a cache of gates to avoidconstructing them each time the same service is run. For example, when anew gate is constructed by a gate factory, the gate may be maintained ina gate cache. When the gate is no longer being used, it is kept in thegate cache instead of being deleted. If the gate cache becomes full, oneor more gates may be removed from the gate cache according to a cachereplacement algorithm, such as least recently used. When the gatefactory is called to construct a gate, it first checks the gate cache tosee if a matching gate already exists so that construction of a new gatemay be avoided.

The building of a gate may be made lightweight by appropriate reuse ofpieces used to construct other gates. Certain portions of each gate maybe the same, and thus may be reused from gate to gate, such as parts ofthe message verification code. Also, for some devices, common gate codemay be built into the system software for the device and shared by allgates on that device. Thus, the gate factory may avoid rebuilding thiscommon code for each gate. Instead, the gate factory may simply bind thegate to this system software portion. For example, a system softwareportion may be provided to handle the message layer over whatevertransports are provided on the device.

Space services in particular may be good candidates for many of the gateconstruction optimizations described above since a service gateconstructed for a space service may perform many of the same functionsas other service gates for that space service. Refer to the Spacessection below for more information on space services.

In some instances, a more efficient form of method invocation may exist.For example, if the target service runs in the same Java Virtual Machineas the client application, a more efficient form of method invocationmay be to create a Java dynamic proxy class for the service. In such acase, a java.lang.reflect.Method invocation may be faster than sending amessage. A gate binding time procedure may check for such anoptimization and use it instead of running the gate factory to create agate or bind an existing gate.

In one embodiment, such as for special-purpose clients or small embeddeddevices, the generation of gate code at runtime may not be desirable dueto memory consumption and code generation time. Thus, instead of havinga gate factory that generates gates at runtime, in some embodimentsgates may be pre-generated and built into the device. For example,message gates may be generated during the build of embedded software asa means of including a built-in secure message endpoint that does nothave to be constructed at runtime. Thus, a client with built-in gatesmay not need a full gate factory, or may require only a partial gatefactory for performing certain runtime binding to a built-in gate, suchas for the URI and/or authentication credential.

A generation tool may be provided for the pre-construction of gates. Thegeneration tool may include an XML parser, a code generator and a codecompiler. In one embodiment, the code generator may be a Java sourcecode generator and the code compiler may be a Java code compiler. Duringthe build of the software for which built-in message gates is desired,the generation tool is run with input from all the relevant XML schemasfor which gates are desired.

As an example, if it is desired for a device to have a built-in messagegate that can send and receive messages from a digital camera, the buildof the device software may include running the gate generation tool withthe camera's XML message schema as input. The XML schema may be parsedby the XML parser that may convert the XML schema into an internal formsuitable for quick access during a message verification process. Thetool's code generator may provide source code for a gate correspondingto the camera's schema. In some embodiments, the generation tool mayalso compile the source code and the gate code may be linked into thesoftware package for the device. At runtime, the camera service may bediscovered in the distributed computing environment. The message URI forthe camera service may be bound to the built-in gate for the camerawithin the device. The binding of the URI to the pre-constructed gatemay be performed by a gate constructor within the device. This gateconstructor may be a much smaller, simpler gate factory. When the cameraservice is instantiated, the URI for the camera service is passed to thegate constructor as an XML message. The gate constructor may then bindthe URI to the pre-constructed gate.

Thus, a gate may be partially or fully generated at runtime, or a gatemay be pre-generated before runtime with a binding process (e.g. for aURI or credential) performed at runtime. In one embodiment, a gategeneration tool such as the gate factory or the generation tool forpre-constructed gates may be a Java-based tool to provide some level ofplatform independence. Alternatively, gate generation tools may beprovided in any language, such as the native code for a particulardevice in the distributed computing environment.

Note that the distributed computing environment does not preclude adevice from downloading part or all of a gate's code. For example, insome embodiments, a service may provide gate code that may be downloadedby a client wishing to access that service. However, downloaded code maypresent size, security and/or safety risks.

A more detailed illustration of possible gate components for oneembodiment is shown in FIG. 12. A gate may include its address (or name)150, a destination gate address 152, a valid XML schema (or internalform thereof) 154, and a transport URI 153. In other embodiments, a gatemay also include an authentication credential 156. Some gates may alsoinclude a lease 158 and/or a message conductor 160 to verify messageordering.

A gate's name 150 may be a unique ID that will (for the life of thegate) refer only to it. A gate may be addressed using its gate name 150.In one embodiment, gate names may be generated as a combination of astring from an XML schema (e.g. from a service advertisement) and arandom number, such as a 128-bit random number. The name 150 may allowclients and services to migrate about the network and still worktogether. In a preferred embodiment, the gate address is independent ofthe physical message transport address and/or socket layer. Thus, a gatename may provide a virtual message endpoint address that may be boundand un-bound to a message transport address. In one embodiment, a gate'sname may be a Universal Unique Identifier (UUID) that may, for the lifeof the gate, refer only to it.

A gate name may persist as long as the gate persists so that differentapplications and clients executing within the same device may locate anduse a particular gate repeatedly. For example, a gate may be created fora first client process executing within a device to access a service.After the first client process has completed its activity with theservice, it may release the gate. Releasing the gate may involveun-binding the gate from the first client process's message transportaddress (e.g. IP and/or Port address). The gate may be stored in a gatecache or repository. A second client process executing within the samedevice that desires to run the same service may locate the gate by itsname and use it to access the service. To use the gate, the secondclient process may bind the gate to its message transport address, sothat the message endpoint for the second client process is a combinationof the gate name and the second client process's transport address. Inanother example, a client may receive a dynamic IP address (e.g. amobile client). When the client's transport address changes, a gate name(or gate names) may be re-bound to the client's new transport address sothat the client may still access a service(s) that that it previouslyaccessed without having to relocate the service and recreate the gate. Agate name may also be useful for process migration. A process and anyassociated gates may be checkpointed or saved at one node in thedistributed computing environment and moved to another node. The processmay be restarted at the new node and the associated gates may be boundto the transport address for the new node so that the process will stillhave access to the external services to which it had access before beingmigrated. A gate may track the current location of another gate to whichit is paired. Thus a service or client may be migrated and still beaccessible. For example, replicated or load-balanced serviceimplementations may be abstracted from clients of the service by thegate.

Thus, a gate name 150 provides a flexible mechanism by which to addressa message endpoint in the distributed computing environment. A gate namemay be used to locate and/or address a gate over a wide range ofnetworks, from a local network to the Internet. Gate names may beindependent of message transport so that a message endpoint (gate) maybe moved from transport to transport by unbinding and rebinding todifferent underlying transport addresses (e.g. IP/Port address pairs).

In one embodiment, a gate may also be separated from a service so thatthe same gate may be used to send requests to different services overtime. This may involve un-binding the gate's destination gate address152 and binding a new destination gate address to the gate.

A gate may be implemented as a layer above a device's transport layer(e.g. networking sockets). Each gate may include a transport reference153. The gate name 150 may be bound to the transport reference 153 asdescribed above. Multiple gates may share the same message transport.For example, multiple gates may have transport references 153 to thesame TCP/IP socket. By sharing the same message transport, the size andcomplexity of each gate may be reduced. A device in the distributedcomputing environment may have a large number of gates that need to sendand receive messages. The message handling complexity for multiple gatesmay be reduced by sharing a common message transport. The transportreference 153 may be a transport URI (e.g. URL) or socket reference andmay provide a mechanism for naming an underlying transport and sharingthe transport with other gates. Multiple local gates may include areference 153 to the same transport, however, each local gate may behaveindependently of the other local gates sending and receiving messages toand from its paired remote gate.

The schema 154 may be downloaded from a space into the gate by the gatefactory. The schema may be compiled into an internal form suitable forquick access during a message verification process. In one embodiment,the schema may specify two groups of messages: client service messagesand provider service messages. The client service messages groupincludes the description of all messages that the client may send (thatthe provider supports), and the provider service messages group includesthe description of all messages that the provider may send (that theclient receives). In one embodiment, either the client or provider maysend a particular request to the space service to obtain a responsemessage with either: the entire client service messages, the entireprovider service messages, the entire client and provider servicemessages, or a specific message of either the client service messages orthe provider service messages. In addition, once a gate has beenconstructed, a client may query as to the capabilities of the servicewithout the gate actually sending a message, but instead by inspectingthe gate's set of messages.

As described above, a message gate may verify the sender of the messageusing an authentication credential, message content for type safety andaccording to an XML schema. However, it may also be desirable to verifythat messages are sent between a client and a service in the correctorder. It may be desirable to be able to provision applications(services) for clients to run without any pre-existing specificfunctionality related to the application on the client (e.g. no GUI forthe application on the client). For example, a Web browser may be usedon a client as the GUI for a service instead of requiring anapplication-specific GUI. Of the possible messages in the XML schema,the client may need to know what message next to send to the service. Itmay be desirable for the client to be able to determine which message tosend next without requiring the client to have specific knowledge of theservice. In one embodiment, the service may continually send responsemessages indicating the next input it needs. The service would thenaccept only the corresponding messages from the client with therequested input specified. Other ad hoc scheme for message ordering mayalso be employed.

In another embodiment, a message conductor 160 may be employed in thegate or associated with the gate to verify the correct sequence ofmessages, as opposed to verifying each message's syntax (which mayalready be performed in the gate according to the schema). Messageconductor 160 may provide a more general approach for applicationprovisioning. The message conductor 160 may be specified in a service'sadvertisement. The message conductor indication in a schema may allowcode to be generated on or downloaded to the client during gateconstruction, which may provide the choreography needed to decide whichmessage to send next to the service. A message conductor may beimplemented as a Java application, a Java Script, WML script, or inother programming or scripting languages.

In one embodiment, the message conductor may accept as input an XMLdocument (e.g. from a service advertisement) that presents the validorder or choreography for messages that may be sent between a client andthe service. This XML document may also specify user interfaceinformation and other rules. The conductor may parse this XML documentinto an internal form and enforce message ordering (and/or other rules)according to the enclosed ordering information. The conductor mayprevent messages from being sent out of order. Or, if a message is sentout of order, an exception may be raised within the sending device. If amessage is received out of order, the conductor may send an automaticresponse message back declaring the ordering error. The sender may thenresend messages in the correct order. Note that in some embodiments,part or all of a conductor may be shared by several gates. Thus, aconductor may be linked to multiple gates.

In one embodiment of a distributed computing environment, front ends forservices (service interfaces) may be built in to clients. In oneembodiment, the service interface may be a preconstructed user interfaceprovided to the client by the service. In one embodiment, the serviceinterface may be provided to the client in the service advertisement.The service interface may interact on the client with the user of theservice to obtain input for running the service, and then may displayresults of running the service on the client. A “user” may be a human,embedded system, another client or service, etc. In one embodiment, aclient device may not be able to provision arbitrary services, as theclient device may only be able to run services for which it has a frontend built in. In one embodiment, a service interface for a service maybe implemented in a Web browser on the client.

In one embodiment, a message conductor and/or service interface may beexternal to the gate and thus abstracted from the gate and client. Theabstracted message conductor may provide provisioning of arbitraryservices to any client device. In one embodiment, the message conductormay be written in code that may run on substantially any platform. Inone embodiment, the message conductor may be written in the Javalanguage. In one embodiment, the message conductor may not require thearbitrary downloading of objects, for example, Java objects, returned tothe client device. For example, very large objects may be returned, andthe message conductor may choose to not download these very largeobjects. In one embodiment, the message conductor may send XML messagesto services from the client device on behalf of the client. The messageconductor may interact with the user of the service to receive input anddisplay results.

In one embodiment, a service interface may be provided that interactswith the client (e.g. thru a user interface) to obtain all informationto run the service, and then may display either results of running theservice or information regarding the location of results, asappropriate. The service interface may be either part of a messageconductor 160 or may be in addition to and work with message conductor160. The service interface may either be:

-   -   1. Built in to the client device and thus run on the client.    -   2. Downloaded to the client device from the space server.    -   3. Run on the space server.    -   4. Run on the service provider.

In one embodiment, to a client, the distributed computing environmentspace server must support #1 always, indicate if #2 is supported (byadvertisement in space), indicate if at least one of #3 and #4 issupported. Note that whether or not it supports #4 depends upon whetheror not the service provider supports #4. In one embodiment, to a serviceprovider, the distributed computing environment space server mustsupport #4 always and indicate if it supports #3.

Regardless of where the service interface runs, once a service isactivated, the service interface may interact with the client,displaying (remotely) requests for input on the client's display, andthen displaying (remotely) results of running the service. Suchinteraction with the client is implemented in terms of XML messages.

The service interface and/or message conductor may meet the needs of aclient user that may have discovered a service, but does not want toread a typically large, dry computer manual to figure out how to use theservice. As the service interface and/or message conductor interactswith the user to request all input that the service needs, they may evenprovide short descriptions of the input requested if the user requestsit. Once the service interface has obtained the necessary informationfrom the client, it may send XML messages to the service provider thatruns the service. The ordering of the messages may be verified by themessage conductor 160 in the gate.

In a preferred embodiment, all messages flow through a gate. A gate maybe configured to provide a flow control mechanism. For example, aservice may need to handle a large amount of incoming and outgoingmessages. Flow control may allow a service to keep up with high trafficvolume. Gates may be configured to monitor messages for flow controltags. When a gate receives a message, it may examine that message for aflow control tag. The flow control tags may be XML tags. A message mayinclude either an OFF tag or an ON tag, for example. If a receivedmessage includes an OFF tag, the receiving gate will stop sendingmessages to its paired destination gate. If the gate receives a messageincluding an ON tag, it may resume sending messages.

In some embodiments, a client may be too thin to support a full gate, ora client may not include software to directly participate in thedistributed computing environment. In such embodiments, a server (suchas the space server in which the service is advertised or anotherserver) may be a full or partial proxy gate for the client. The servermay instantiate a service agent (which may include a gate) for eachservice to be used by the client. The service agent may verifypermission to send messages; send messages to the provider, possiblyqueuing them until the provider can accept the next one; send messagesto the client, possibly queuing them until the client can accept thenext one; and manage the storing of results in a result or activationspace. See also the Bridging section herein.

For example, as illustrated in FIG. 13, a client may be a conventionalbrowser 400 that does not support gates to participate directly in themessaging scheme described above. The browser 400 may be aided by aproxy servlet (agent) 402. The browser user may use a search engine tofind a Web page that fronts (displays the contents of) a spaceadvertising services within the distributed computing environment. Theuser is able to point and click on the space Web page and, with the helpof the servlet, to access services. The Web pages may include scripts,for example, Java or WML scripts, which may be used in connecting thebrowser to the proxy servlet. Scripts may also be used to send messagesto the proxy servlet. The servlet agent may translate Web page actionsinto messages on behalf of the browser client. These actions may includenavigating a space, starting services, and returning results. Resultpage URIs (referencing pages containing XML) may be returned directly(or translated into HTML or WAP if needed) to the browser, for displayto the user. Thus, the browser-based client does not need to know how tostart services, nor which messages to send during the service usagesession. For example, a user of a WAP browser (e.g. on a cell phone) mayconnect to a space page, browse its contents (services), and then starta service, all by pointing and clicking. The agent 402 provides theclient interface between the conventional client and the distributedcomputing environment.

The distributed computing environment may include several differenttypes of message gates for communicating between clients and servicesthat support different features. For example, as discussed above, somegates may support flow control or billing. Another type of message gatemay support a form of remote method invocation. This type of gate may bereferred to as a method gate. FIG. 14 illustrates the use of a methodgate to provide a remote method invocation interface to a service.Method gates provide a method interface between clients and services. Amethod gate may be bi-directional, allowing remote method invocationsfrom client to service and from service to client. A method gate 172 maybe generated from XML schema information 170 (e.g. from a serviceadvertisement in a space). The XML schema information 170 includes XMLdefining a method interface(s). From this information, code may begenerated as part of the gate for interfacing to one or more methods.Each method invocation (e.g. from a client application 176) in thegenerated code may cause a message to be sent to the service containingthe marshaled method parameters. The message syntax and parameters to beincluded may be specified in the XML schema. Thus, the method gate 172provides an XML message interface to remotely invoke a service method.The method gate may be generated on the client or proxied on a server,such as the space server where the service method was advertised or aspecial gateway server.

A service may have a corresponding method gate that implements or islinked to a set of object methods that correspond to the set of methodmessages defined in the service's XML schema. There may be a one to onecorrespondence between the object methods implemented by or linked tothe service's method gate and the method messages defined by theservice's XML schema. Once a service's corresponding method receives amessage from a client to invoke one of the service's methods, theservice's method gate may unmarshal or unpack the parameters of themessage invocation and then invoke the method indicated by the receivedmessage and pass the unmarshalled parameters.

The method gate may provide a synchronous request-response messageinterface in which clients remotely call methods causing services toreturn results. The underlying message passing mechanics may becompletely hidden from the client. This form of remote method invocationmay deal with method results as follows. Instead of downloading resultobjects (and associated classes) into the client, only a resultreference or references are returned in XML messages, in one embodiment.An object reference 178 may be a generated code proxy (e.g. result gate)representing the real object result 180 (still stored out on the net,for example). In other embodiments, the client may choose to receive theactual result object. Also, once a client has received a result objectreference, the client may use this reference to receive or manipulatethe actual result object. In one embodiment, the result referenceincludes one or more URI's to the real result.

The real result object(s) may be stored in a service results space(which also may be created dynamically by a servlet for example). Thistemporary results space may act as a query results cache. The resultscache (space) may be patrolled by server software (garbage collector)that cleans-up old result areas. Results returned from each methodinvocation may be advertised in the results space. A result itself maybe or include a method that could then be remotely instantiated by aclient, thus generating its own method gate. Therefore, the distributedcomputing environment may support recursive remote method invocation.

As mentioned above, when a client uses a method gate to remotely invokea service method, a reference to the method results may be returned fromthe service method gate instead of the actual results. From thisreference, a result gate may be generated to access the actual result.Thus, the client or client method gate may receive a result URI andperhaps a result XML schema and/or authentication credential forconstructing a gate to access the remote method results.

In one embodiment, a service gate may create a “child gate” for theresults. This child result gate may share the same authenticationcredential as its parent gate. In some embodiments, results may have adifferent set of access rights and thus may not share the sameauthentication credential as its parent. For example, a payroll servicemay allow a different set of users to initiate than to read the payrollservice's results (paychecks).

A service method gate may return a child result gate to the client gateas the result of the method. The client may then use the result gate toaccess the actual results. In one embodiment, the software program(client) receiving the result gate cannot distinguish between the resultgate and the result itself in which case the result gate may be anobject proxy for the actual result object. The result gate may also be amethod gate that supports remote method invocation to result objects. Inthis manner, a chain of parent and child method/results gates may becreated.

In one embodiment, the method gates and remote methods may be in Java.Method results are correctly typed according to the Java typing system.When a Java method is remotely invoked as described above, the resultgate may be cast into the Java type that matches the result type. Inthis embodiment, method gates may be used in the distributed computingenvironment to allow remote Java objects to behave as local Javaobjects. The method invocation and result may appear the same to theclient Java software program whether the real object is local or remote.

See the Spaces section below for a further discussion on the use ofspaces for results.

Message gates may also support publish and subscribe message passing forevents. Message gates with event support may be referred to as eventgates. A service's XML schema may indicate a set of one or more eventsthat may be published by the service. An event gate may be constructedfrom the XML schema. The event gate may be configured to recognize someor all of the set of events published by a service, subscribe to thoseevents, and distribute each event as the event is produced by theservice.

The set of events for a service may be described in the service's XMLmessage schema. For each event message in the XML schema, the event gatemay subscribe itself as a consumer of that event. In one embodiment, anevent gate subscribes to all events indicated by the XML schema. Eachevent message may be named using an XML tag. The event gate maysubscribe by sending a subscription message including the XML tag forthe event to be subscribed to.

When a corresponding event occurs with the service, the service may sendan event message to subscribers indicating the occurrence of the event.The event message may contain an XML event document and may be sent toeach subscribed gate. When a subscribed gate receives the event message,the XML event document is removed from the message and the process ofdistribution begins. Event distribution is the process of handing outthe event document within the client platform. Each event consumerwithin the client platform may subscribe with the event gate for eachtype of event. On Java platforms, the typing system is Java (convertedfrom the XML event type).

The event consumer may supply an event handler callback method to theevent gate. The event gate may store a list of these subscriptions. Aseach event message arrives at the gate (from the service producing theevent), the gate traverses the list of client consumers and calls eachhandler method, passing the XML event document as a parameter. In oneembodiment, the XML event document is the only parameter passed to thehandler callback method.

In one embodiment the event gate automatically subscribes itself forevents on behalf of the local consumer clients. As clients registerinterest with the gate, the gate registers interest with the eventproducer service. A client may also un-subscribe interest, which causesthe gate to un-register itself with the service producing the event.

An event gate may type check the event document using the XML schemajust like a regular message gate does in the standard request-responsemessage passing style described above. An event gate may also include anauthentication credential in messages it sends and verify theauthentication credentials of received event messages.

Note that any combination of the gate functionality described above maybe supported in a single gate. Each type has been described separatelyonly for clarity. For example, a gate may be a message gate, a methodgate and an event gate, and may support flow control and resourcemonitoring.

Service Discovery Mechanisms

In one embodiment, the distributed computing environment may include aservice discovery mechanism that provides methods for clients to findservices and to negotiate the rights to use some or all of a service'scapabilities. Note that a space is an example of a service. The servicediscovery mechanism may be secure, and may track and match outgoingclient requests with incoming service responses.

A service discovery mechanism may provide various capabilitiesincluding, but not limited to:

-   -   Finding a service using flexible search criteria.    -   Requesting an authorization mechanism, for example, an        authentication credential, that may convey to the client the        right to use the entire set or a subset of the entire set of a        service's capabilities.    -   Requesting a credential, document, or other object that may        convey to the client the service's interface. In one embodiment,        the service's interface may include interfaces to a requested        set of the service's capabilities.    -   The tracking of discovery responses to the original requests. In        one embodiment, each client request may include a collection of        data that may also be returned in matching responses, thus        allowing the requests and responses to be correlated.

In one embodiment of the distributed computing environment, a servicediscovery mechanism may provide a flexible search criteria based upon anextensible grammar. In one embodiment, a service name, service type, andother elements, if any, being searched for may be matched with elementsin an XML document. In one embodiment, the XML document is the serviceadvertisement for the service. XML may provide a flexible, extensiblegrammar for searching. XML also may provide type safety for matchingelements. In one embodiment, the service names and service types may betype checked with the element types in the XML service advertisement.

In one embodiment, a distributed computing environment may include amechanism for clients to negotiate service access rights. In oneembodiment, the mechanism may be used to negotiate for a subset of aservice's full capabilities. The result of the negotiation may be anauthorization such as an authentication credential that conveys to theclient the right to use the requested subset of the service'scapabilities.

In one embodiment, the service discovery mechanism may allow a client torequest a security capability credential from a service. In oneembodiment, the client may present to the service a set of desiredcapabilities in the form of a protected (secure) advertisement. Theservice may then respond with a capability credential that may convey tothe client the rights to use the requested capabilities described in theprotected advertisement.

In one embodiment, the distributed computing environment may include amechanism for a client to negotiate service access rights and to thenobtain a security credential or document that may be used to present theservice's access interface to the set or subset of the service'scapabilities that were requested by the client.

In one embodiment, a client that receives a capability credential from aservice may generate a custom service access interface document that maybe referred to as a “complete advertisement.” In one embodiment, thecomplete advertisement may be an XML document. The generatedadvertisement may provide access to the service capabilities as grantedto the client by the received capability credential. In one embodiment,an interface may be provided by the advertisement only to the servicecapabilities to which the client has been granted access by thecapability credential. In one embodiment, the client may be grantedaccess to only required capabilities and to which the client has accessprivileges.

In one embodiment, the distributed computing environment may provide amechanism by which a client may negotiate capabilities with services. Inone embodiment, the client may negotiate its capabilities to theservice. The service may then customize results based on the parametersnegotiated with the client. For example, a client that is capable of onebit display at a resolution of 160×200 may negotiate these parameters tothe service, thus allowing the service to customize results for theclient.

The following is included as an example of an XML capabilities messageand is not intended to be limiting in any way:

-   -   <type name=“Capabilities”>        -   <element name=“display” type=“string”/>        -   <element name=“memory” type=“string”/>        -   <element name=“mime” type=“string”/>    -   </type>

The distributed computing environment may include a mechanism that mayallow clients to negotiate how a service is to return results of aservice invocation. In one embodiment, during a capability credentialrequest, a means by which to choose one of the results return methodsmay be conveyed to the service. The service may then generate a customservice advertisement that may convey to the client the resultsmechanism to be used, as well as the service interface.

In one embodiment, the distributed computing environment may include amechanism for tracking service discovery search requests and responsesto the requests. In one embodiment, search request and response messagesmay include a field that may be used to include a string or an XMLdocument. In one embodiment, the string or XML document included in thefield of a request message is also returned in the response message. Inone embodiment, the string or XML document is required to be returned inthe response message. In one embodiment, the string or XML document mayinclude additional information inserted in or appended to the string ordocument when returned in the response message. In one embodiment, thismechanism may be used in debugging complex systems. In one embodiment,this mechanism may also provide to clients a method for choosingservices to access by using the string or XML document to pass customsearch information between a client and service that may only beunderstood by the client and service.

Matching Component (Service) Interfaces

The distributed computing environment may provide a mechanism formatching a component (for example, a service) specification interfacewith a requested interface. For example, a client (which may be aservice) may desire a service that meets a set of interfacerequirements. Each component may have a description of the interface towhich it conforms. The specification interface matching mechanism mayallow a component that best matches a requestor's interface requirementsto be located. The specification interface matching mechanism may alsoallow for “fuzzy” matching of interface requirements. In other words,the mechanism may allow matching without requiring the exactspecification of all aspects of the interface, thus providing a nearestmatch (fuzzy) mechanism. In one embodiment, the specification interfacematching mechanism may be implemented as a multi-level, sub-classingmodel rather than requiring specification at a single interface level.

In one embodiment, a component may use an XML Schema Definition Language(XSDL) to describe its interface. XSDL may provide a human-interpretablelanguage for describing the interface, simplifying activities requiringhuman intervention such as debugging. In one embodiment, the interfacedescription may be provided as part of an advertisement (for example, aservice advertisement) as described elsewhere in this document.

Using the specification interface matching mechanism, a basic desiredinterface may be compared to a set of component' interface descriptions.One or more components matching the basic desired interface may beidentified. The interface descriptions may include subclass descriptionsdescribing more specifically the interfaces provided by the components.In the search process, the class type hierarchy may be examined todetermine if a given class is a subclass of the search type. In oneembodiment, subclasses may inherit properties of the base class, andthus the subclass-specific information may not be examined in thisphase. Thus, the search may be performed generically. The identifiedcomponents may be searched at the next (subclass) level. The search maybecome specific to the subclass and may be performed by interpreting thesubclass information included in the interface description. The searchmay continue through one or more subclasses until one or more componentsis determined which may provide the nearest match to the requestor'sdesired interface.

In one embodiment, an interface matching mechanism may provide theability to distinguish among two or more components that implementsimilar interfaces. In one embodiment, the interface matching mechanismmay provide the ability to distinguish among different revisions of thesame component.

In one embodiment, a component description may be provided that includesa specification of the interface to which the component conforms. Thecomponent description may also include information about the componentitself. The interface description and/or the component information maybe used to differentiate among different implementations of a giveninterface. The component descriptions may include a canonical identifierand version information. The version information may allow componentrevisions to be distinguished. In one embodiment, the componentdescription may be provided as part of an advertisement (for example, aservice advertisement) as described elsewhere in this document.

In one embodiment, components may be searched for a particular canonicalidentifier. Two or more components may be identified with matchingcanonical identifiers. One or more components may be selected from amongthe components with matching canonical identifiers. The selectionprocedure may use an interface specification version, a componentimplementation specification, a component implementation specificationversion, other information or a combination of information from thecomponent description to produce a set of one or more components thatbest match the requestor's requirements.

Spaces

As mentioned above, the distributed computing environment relies onspaces to provide a rendezvous mechanism that brokers services orcontent to clients. FIG. 15 illustrates the basic use of a space 114.Service providers may advertise services in a space 114. Clients 110 mayfind the advertisements in a space 114 and use the information from anadvertisement to access a service using the XML messaging mechanism ofthe distributed computing environment. Many spaces may exist, eachcontaining XML advertisements that describe services or content. Thus, aspace may be a repository of XML advertisements of services and/or XMLdata, which may be raw data or advertisements for data, such as results.

A space itself is a service. Like any service, a space has anadvertisement, which a client of the space must first obtain in order tobe able to run that space service. A space's own advertisement mayinclude an XML schema, a credential or credentials, and a URI whichindicate how to access the space. A client may construct a gate from aspace service's advertisement in order to access the space. A client ofa space may itself be a service provider seeking to advertise in thatspace or modify an existing advertisement. Or a client of a space may bean application seeking to access a service or content listed by thespace. Thus, spaces may provide catalysts for the interaction betweenclients and services in the distributed computing environment.

A space may be a collection of named advertisements. In one embodiment,naming an advertisement is the process of associating a name string withan advertisement. The association may take place upon storing anadvertisement in a space. Removing an advertisement from a spacedisassociates the name from the advertisement. A space may be createdwith a single root advertisement that describes the space itself.Additional advertisements may be added to a space. An advertisement'sname may locate the advertisement within the space, including specifyingany necessary graphing information such as a hierarchy of names. In apreferred embodiment, the structure of a space is not dictated by thedistributed computing environment. That is, spaces may be structured as,for example, a flat un-related set of advertisements or a graph ofrelated advertisements (e.g. commercial database). Since, in a preferredembodiment, the distributed computing environment does not dictate how aspace actually stores its content, spaces may be supported by small tolarge devices. For example, a simple space may be tailored to fit onsmall devices, such as PDAs. More advanced spaces may be implemented onlarge severs employing large commercial databases.

As mentioned above, a space may contain advertisements for services inthe distributed computing environment. An advertisement may provide amechanism for addressing and accessing services and/or content withinthe distributed computing environment. An advertisement may specify aURI for a service. In some embodiments, the URI may allow for theservice to be accessible over the Internet. An advertisement may alsoinclude an XML schema for the service. The XML schema may specify a setof messages that clients of the service may send to the service toinvoke functionality of the service. The XML schema may define theclient-service interface. Together, the URI and the XML specified in anadvertisement may indicate how to address and access the service. Boththe URI and schema may be provided in XML as an advertisement in aspace. Thus, a mechanism for addressing and accessing a service in adistributed computing environment may be published as an advertisementin a space. Clients may discover a space and then lookup individualadvertisement for services or content.

FIG. 16 illustrates advertisement structure according to one embodiment.An advertisement 500, like other XML documents, may include a series ofhierarchically arranged elements 502. Each element 502 may include itsdata or additional elements. An element may also have attributes 504.Attributes may be name-value string pairs. Attributes may storemeta-data, which may facilitate describing the data within the element.

In some embodiments, an advertisement may exist in different distinctstates. One such state may be a drafted state. In one embodiment,advertisements may initially be constructed in a drafted state thatexists outside the bounds of a space. The creator of an advertisementmay construct it in a variety of ways, including using an XML editor.Access to elements and attributes in the drafted state may be at the rawdata and meta-data levels using any suitable means. Typically, eventsare not produced for changes made to advertisements in the draftedstate. Therefore, the creator of the advertisement may be free to add,change, or delete elements as well as to achieve the desired attributeset, and then publish the advertisement for the rest of the distributedcomputing environment to see.

In one embodiment, another possible state for advertisements is apublished state. Advertisements may move to the published state wheninserted into a space. Once the advertisement is in a space, interestedclients, and services may locate it, e.g. using its name and/or itselements as search criteria. For example, search criteria may bespecified as an XML template document that may be compared (e.g. by thespace service) with the advertisements in the space. Publishedadvertisements may represent “on-line” services ready for clients touse. The message address (URI) of the service may be stored as anelement in the advertisement. Advertisements that are removed from thespace may transition back to the drafted state where they may bediscarded or held. Removal may generate an event so interested listenersmay be made aware of the change. Message gates are typically createdfrom published advertisements.

In one embodiment, yet another possible state for advertisements is apersistent archived state. An archival procedure may turn a livepublished advertisement into a stream of bytes that may be persistentlystored for later reconstruction. Archived advertisements may be sent(e.g. in their raw XML form) from the space to an archival service. TheURI for an advertisement's archival service may be stored as an elementin the advertisement. XML may provide a format for storing andretrieving advertisements and representing the state of advertisementelements sufficient to reconstruct the advertisement object(s).Advertisements may be stored in other formats as well, depending onarchival service implementation. The process of making a publishedadvertisement persistent may prepare the advertisement for thepersistent archived state. Persistent advertisements may be stored (e.g.by an archival service) for future use in a persistent storage locationsuch as a file or a database. A space through the archival procedure mayenable advertisements to be stored, however the space does notnecessarily play a role in how persisted advertisement entries areactually stored. How persisted advertisements are stored may bedetermined by the advertisement's archival service. Typically, no eventsare generated on behalf of archived advertisements. Also, changes maynot be allowed for advertisements in the persistent archived state.

Advertisements may be archived and removed or just archived. If anadvertisement is archived without removing it from the space, the spacewill store a shadow version of the advertisement. Access to an archivedservice may cause the advertisement to “fault-in” from its persistentbacking store on demand. This feature may allow advertisements to befilled, from LDAP (Lightweight Directory Access Protocol) entries forexample, on demand.

FIG. 17 illustrates one example of advertisement state transitions thatan advertisement may undergo during its lifetime. First, anadvertisement may be constructed, as indicated at 1. Duringconstruction, the advertisement is in the drafted state. Then, theadvertisement may be inserted in a space, as indicted at 2. Theadvertisement may be inserted as a published parent. The advertisementis in the published state after being inserted in a space. An event(e.g. AdvInsertEvent) may be generated when the advertisement isinserted in the space. Events are more fully discussed below. Theadvertisement may be archived and made persistent, as indicated at 3,which may transition the advertisement to the persistent archived state.An advertisement may also be published from the persistent archivestate, as indicated at 4. An advertisement may be removed from a spaceand transition back to the drafted state, as indicated at 5. An event(e.g. AdvRemoveEvent) may be generated when the advertisement isremoved.

In one embodiment, the archived, persistent state is not used. In thisembodiment, state changes 3 and 4 also are not used. In this embodiment,an advertisement is either in the drafted state or in the publishedstate.

Advertisements stored in a space may have the following standardizedelements and/or attributes: version (may be an element), creation date(may be an attribute), modification date (may be an attribute),implementation service URI (may be an element), and/or persistencearchival service URI (may be an element).

A space itself is typically a service. A space service may provide theability to search for advertisements in the space, which may includesearching the space by type of advertisements. A space service may alsoprovide facilities to read advertisements, write (publish)advertisements, and take (remove) advertisements. A space may alsoprovide the ability to subscribe for space event notification messages.Some spaces may provide extended facilities, such as facilities tonavigate space relationship graph by position; read, write or takeadvertisement elements; read, write or take advertisement attributes;and subscribe for advertisement event notification messages. Spacefacilities are described in more detail below. A space's capabilitiesare embodied in a space advertisement's message schema. From the messageschema, space address, and authentication credential, a client messagegate may be created to access the space and its facilities.

Spaces and all advertisements within a space may be addressed usingURIs. In one embodiment, space and advertisement names may follow URLnaming conventions. The use of URIs, e.g. URLs, for addressing spacesmay allow spaces to be addressable throughout the Internet, in someembodiments.

The space message recipient (a space service) may be specified using aURI which may have been received in a service advertisement for thespace. The URI may include a protocol, host, port number, and name. Theprotocol may name the protocol that may be used to move messages betweenclients and the space (reliable or un-reliable sockets, for example).The host and port number may be protocol dependent IDs. The name may bethe space name followed by advertisement, element and/or attribute name.In one embodiment, a pathname may be used to identify an advertisementin a space. Pathnames may be either absolute or relative. Absolutepathnames name the space as well as an advertisement. Relative pathnamesare relative a designated advertisement within an assumed space. In oneembodiment, the syntax rules governing the construction of pathnames isthat of the URI (Uniform Resource Identifier). In that embodiment,advertisement and space names therefore may not contain any URI reservedcharacters or sequences of characters. Pathnames to elements andattributes may also be specified using a URI. In general, element andattribute names may be appended to the pathname of an advertisement,such as:

-   -   http://java.sun.com/spacename/advertisement/element/attribute.

In one embodiment, the distributed computing environment may include amechanism that allows a client to discover the URI of a space butrestricts access to the service advertisement for the space. In oneembodiment, rather than returning the full advertisement to the space,the URI of the space and the URI of an authentication service for thespace may be returned. In order for the client to access the documentsor services advertised in the space, the client first may authenticateitself to the authentication service at the URI provided in the returnmessage. The authentication service may then return an authenticationcredential that may allow the client partial or full access to thespace. When the client receives the authentication credential, theclient may attempt to connect to the space to access the documents orservice advertisements in the space.

The distributed computing environment may provide a mechanism ormechanisms that may enable a client to connect to a space. Embodimentsof a connection mechanism may provide for client-space addressing,client authorization, security, leasing, client capabilitiesdetermination, and client-space connection management. A client-spaceconnection may be referred to as a session. In one embodiment, a sessionmay be assigned a unique session identification number (session ID). Thesession ID may uniquely identify a client-space connection. In oneembodiment, a session lease mechanism may be used to transparentlygarbage collect the session if the client does not renew the lease.

The following is an example of using such a connection mechanismaccording to one embodiment. A client may obtain an authenticationcredential. In one embodiment, the space may provide an authenticationservice in response to a client's request for access to the space. Theclient may obtain the authentication credential through theauthentication service. When the client receives the authenticationcredential, the client may initiate a connection to the space by sendinga connection request message. In one embodiment, the connection requestmessage may include the URI address of the space service, theauthentication credential for the client and information about theconnection lease the client is requesting. After the space receives theconnection request message, the space may validate the message. In oneembodiment, an XML schema may be used to validate the message. Theclient may then be authenticated using the authentication credential. Inone embodiment, the information received in the connection requestmessage may be used to determine the capabilities of the client to usethe space. In one embodiment, each client of a space may be assigned itsown set of capabilities for using the space. In one embodiment, anaccess control list (ACL) that may include capability information aboutone or more clients of the space may be used in client capabilitiesdetermination. In one embodiment, the information received in theconnection request message may be used to look up the client'scapabilities in the ACL.

After authenticating the client and determining the client'scapabilities, the connection lease to grant the client may bedetermined. After the lease is determined, the structure for maintainingthe client-space connection may be generated. A session ID for theconnection may be generated. In one embodiment, each client-spaceconnection may be assigned a unique session ID. In one embodiment, anactivation space may be created and assigned to, or alternatively apre-existing activation space may be assigned to, the client-spacesession. In one embodiment, an activation space may be used to storeresults of services for the client when using the space. In oneembodiment, a client's capabilities may be used to determine if anactivation space is to be created for the client. For example, a clientmay not have capabilities to access an activation space to store andretrieve results. A message or messages may be sent to the clientinforming the client that the connection has been established. Themessage or messages may include the session ID and information about thelease. The client may then use the space including, but not limited to:advertisement lookup, advertisement registering, and advertisementretrieval. In one embodiment, he connection may remain open until theallocated lease expires or until the client sends a message requestinglease cancellation to the space. In one embodiment, the client may beresponsible for renewing the lease before the lease expires. If thelease expires before the client renews the lease, the connection may bedropped, causing the client to lose the connection to the space. In oneembodiment, to reconnect, the client may be required to repeat theconnection procedure.

In one embodiment, a client of a space may obtain a space'sadvertisement several different ways. Some of the ways a client mayobtain a space's advertisement are illustrated in FIG. 18. For example,a space discovery protocol may be provided as part of the distributedcomputing environment. Space discovery is a protocol a client or servicemay use to find a space. A listener agent 202 may be configuredassociated with one or more spaces to listen for discovery requests. Thediscovery listener agent 202 may listen on various network interfaces,and may receive either broadcast requests or unicast requests (at theURI of the agent) from clients 200 a looking for a space(s). Thelistener agent 202 then responds with the service advertisement(s) orURIs for the service advertisements of the requested space(s). In oneembodiment, the listener agent is, in general, separate from the space,because its functionality is orthogonal to the functionality of a spaceservice. However, the listener agent may be implemented on the samedevice or a different device as a space service.

In one embodiment, the discovery protocol may be a service advertised ina default space. A client may instantiate the discovery protocol fromthe client's default space in order to discover additional spaces. Thediscovery protocol may be pre-registered with a client's default space.Alternatively, the discovery protocol may register itself with thedefault space by placing an advertisement in that space, e.g., when aclient connects to a local network serviced by the discovery service.

In one embodiment, the space discovery protocol may be mapped tounderlying device discovery protocols for other platforms, such as SLP,Jini, UPnP, etc. Thus, a client may use the discovery protocol of thedistributed computing environment to find services in otherenvironments. A bridge to these other environments may be provided andadvertisements provided services in these other environments so thatthey may be accessed by clients of the distributed computing environmentdescribed herein. Refer to the Bridging section.

For each advertised discovery protocol, the distributed computingenvironment may create a subsequent results space to hold the results ofthe discovery protocol. In one embodiment, space services in thedistributed computing environment may use the Multicast AnnouncementProtocol (multicast UDP) to announce themselves on a LAN. Thisinformation may be recorded by a listener agent. A device (either aclient or service) may use the Multicast Request Protocol (multicastUDP) to initiate discovery of a space manager. In one embodiment, thespace managers respond with information indicating the URI of theirrespective spaces. Alternatively, a listener agent may respond formultiple spaces. The discovery response may also include a short stringthat labels the each space (e.g. obtained from keywords of the space),and information that can be used to set up a TCP connection, forexample, with each space manager to perform operations on the respectivespace. Since the requesting device may receive responses from more thanone space manager (or multiple space listings from a listener agent),this information may help the client select which space it wishes toconnect to.

In addition to the multicast discovery described above, the discoveryservice may also perform discovery using unicast messaging (e.g. overTCP) that can be used to discover a space manager at a known address onthe network (e.g. the Internet, other WAN, LAN, etc). The unicastdiscovery message may include a request for a space service at a knownURI to provide its service advertisement. The multicast and unicastdiscovery protocols are defined at the message level, and thus may beused regardless of whether the devices participating in the discoverysupport Java or any other particular language.

The discovery protocol may facilitate the proliferation of clientsindependently of the proliferation of server content that supports thoseclients within the distributed computing environment. For example, amobile client may have its initial default space built into its localplatform. In addition to local services advertised in the default space,the mobile client may have services that search for additional spaces,such as a service to access the discovery protocol or a service toaccess space search engines.

In one embodiment, the distributed computing environment space discoveryprotocol may define a set of XML messages and their responses that mayallow clients to:

-   -   Broadcast protocol-defined space discovery messages on their        network interfaces.    -   Receive from listeners XML messages describing candidate spaces        that those listeners represent.    -   Select one of those discovered spaces as default, without the        client needing to know the address of the selected space.    -   Obtain information on the selected space, such as its address,        so the client may later find that same space via means outside        of the discovery protocol (useful if later the client wants to        access a space which is no longer local, but which still is of        interest to the client).

In some embodiments, the multicast and unicast discovery protocols mayrequire an IP network. Although these discovery protocols meet the needsof devices that are IP network capable, there are many devices that maynot be directly supported by these discovery protocols. To meet theneeds of such devices in discovering spaces in the distributed computingenvironment, a pre-discovery protocol may used to find an IP networkcapable agent. The pre-discovery protocol may include the device sendinga message on a non-IP network interface requesting a network agent. Thenetwork agent may set up a connection between itself and the device.Once the connection between device and agent is set up, the agentparticipates in the discovery protocol on IP networks on behalf of thedevice for which it serves as agent. The network agent may also providean interface for the device to the distributed computing environment ingeneral. For example, gates may be constructed in the agent on behalf ofthe device for running services advertised in discovered spaces. See theBridging section.

Another way that clients may locate spaces in the distributed computingenvironment is by advertisement of a space in another space. A space isa service, so like any other service, it can be advertised in anotherspace. As shown in FIG. 18, a client 200 b may find an advertisement 206in a first space 204 a for a second space 204 b. Space 204 b may in turninclude advertisements to additional spaces. Because a service(implementing a space) may also act as a client, spaces may exchangeadvertisements or chain together to provide a federation of spaces, asillustrated in FIG. 19. Any number of spaces may be included in thedistributed computing environment. The number and topology of spaces maybe implementation dependent. For example, spaces implemented on an IPnetwork might each correspond to a different subnet.

A third way a client may locate a space is through running a service208, as shown in FIG. 18. A service 208 may be run which returns as itsresults the service advertisements of space services. Since serviceadvertisements are XML documents and since the distributed computingenvironment may include the Internet, service 208 may be a Web-basedsearch tool. An example of such a service is the space look-up servicedescribed in conjunction with FIG. 4. In one embodiment, spaces withinthe distributed computing environment may be implemented as Web pages.Each Web page space may include a keyword that may be searched upon toidentify the Web page as a space in the distributed computingenvironment. The space may include other searchable keywords as well tofurther define the space. A client may connect to a search service 208and supply keywords to the search service in the form of XML messages.The search service may receive the keywords from the client and feed thekeywords to an Internet search engine, which may be a conventional orthird-party search engine. The search service may return the resultsfrom the Internet search engine to the client, either directly as XMLmessages or by reference to a results space. The results may be the URIsof spaces matching the search request. Alternatively, the search servicemay contact spaces identified by the search, obtain the serviceadvertisement for each such space, and return the space serviceadvertisements to the client, either directly as XML messages or byreference to a results space. The client may then select a space fromthe search results and construct a gate (by itself or through a proxy)to access the selected space. Once the selected space is accessed, theclient may look up service advertisements within that space, which maylead to additional spaces.

As described above, a space may be an XML-based Website, and as such maybe searched via Internet Web search mechanisms. A space may includeInternet searchable keywords. Some devices, such as small clientdevices, may not support an internet browser. However, such devices maystill perform Internet searches for spaces within the distributedcomputing environment. A device may have a program that accepts stringsof keywords, which may be sent to a proxy program on a server (e.g. asearch service). The proxy may send the strings to a browser-basedsearch facility (e.g. an internet search facility) to perform thesearch. The proxy may receive the output of the search and parse it intostrings (e.g. XML strings) representing each URI for the search resultsand send the response strings back to the client. Thus, a client maylocate spaces through the Internet without having to support a programsuch as a Web browser. More capable devices may avoid the use of a proxyand initiate an Internet-based search service directly.

In some embodiments, a search service may limit or filter spaces thatmay be found through the search service, or constrain clients tosearching only a few supported spaces within the distributed computingenvironment. The extent of searching permitted may be determinedaccording to the client authentication.

A fourth way a client may locate a space is by obtaining or receivinginformation about a newly created empty space or a spawned space when anexisting space is spawned. An existing space may include an interfacefor spawning an empty space with the same functionality (e.g. same XMLschema) as the space from which it is spawned. Spawning of spaces isfurther described below.

Once a client of a space finds the advertisement of a space service,that client of the space may run the space service, as it would anyother service. Note that the client of the space service may be anotherservice (e.g. a service seeking to advertise in the space). In oneembodiment, as illustrated in FIG. 20, to run a space service, theclient of the space may first run an authentication service for thespace to obtain an authentication credential, as indicated at 300. Theauthentication service may be specified in the service advertisement ofthe space service. The client of the space uses the authenticationcredential, the XML schema of the space (from space's serviceadvertisement), and the URI of the space (from space's serviceadvertisement) to construct a gate for the space, as indicated at 302.The client of the space may then run the space service by using the gateto send messages to the space service. A first such message is indicatedat 304.

For embodiments employing authentication, when the space servicereceives the first message from the client, with the authenticationcredential embedded, the space service uses the same authenticationservice (specified in the service advertisement of the space service) toauthenticate the client, thus establishing its identity, as indicated at306. The space service may determine the client's capabilities and bindthem to the authentication credential, as indicated at 308.

As indicated at 310, a client of a space may run various spacefacilities by sending messages to the space service. In one embodiment,when a client of a space sends a request to the space service, it passesits authentication credential in that request, so the space service cancheck the request against the client's specific capabilities.

Each space is typically a service and may have an XML schema definingthe core functionality of the space service. The XML schema may specifythe client interface to the space service. In one embodiment, all spaceservices may provide a base-level of space-related messages. Thebase-level space functionality may be the basic space functionality thatis capable of being used by most clients, including small devices suchas PDAs. It may be desirable to provide for additional functionality,e.g. for more advanced clients. Extensions to the base-level space maybe accomplished by adding more messages to the XML schema thatadvertises the space. For example, in one embodiment, the base-levelmessages do not impose any relationship graph upon the advertisements.Messages, for example, to traverse a hierarchy of advertisements may bea space extension. Providing such additional functionality may be doneby providing one or more extended XML space schemas or schema extensionsfor a space. The extended schemas may include the base schema so thatclients of an extended space may still access the space as a base space.

In one embodiment, a base space service may provide a transientrepository of XML documents (e.g. advertisements of services, results ofrunning services). However, a base space service in one embodiment maynot provide for advanced facilities to support persistence of spacecontent, navigation or creation of space structure (e.g. hierarchy), anda transactional model. A mechanism for supporting persistence,hierarchy, and/or transactions is by extending the XML schema. Sinceextended spaces still include the base XML schema, clients may stilltreat extended spaces as base spaces, when just the base spacefunctionality is all that is need or all that can be supported.

In one embodiment, the base space may be transient. The base space maybe acceptable for many purposes. Service providers may register theirservices in various spaces. In one embodiment, services mustcontinuously renew leases on the publishing of information in thespaces. By this nature, the services advertisements may be transient inthat they may often be rebuilt and/or reconfirmed. However, it may bedesirable to provide for some persistence in a space. For example, aspace that has results may provide some persistence for users that wantto be sure that results are not lost for some time. In one embodiment,persistence may be provided for by specifying a space interface wherethe client may control which objects in the space are backed by apersistent store and manage the maintenance of that persistence store.The persistence interface may be specified with extended XML schema forthe space defining the interfaces for persistence.

In one embodiment, a base space may provide an interface where an XMLdocument may be added to a space and identified by a string. The basespace may not provide any hierarchy for the various so named XMLdocuments in the space. In embodiments where hierarchy support isdesired, additional interfaces may be defined (extending the XML schema)where a hierarchy can be specified by the user. Other interfaces may bespecified to navigate the hierarchy or navigate a relationship graph byposition. However, other users may still use the base space interfacesto access those same documents, without any hierarchy. Interfaces forother space structure may be provided for as well in extended spaceschemas.

Extended XML space interfaces may also be provided for space transactionmodels. For example, an extended space XML schema may be providedspecifying an interface for ACID transactions. ACID is an acronym usedto describe four properties of an enterprise-level transaction. ACIDstands for Atomicity, Consistency, Isolation, and Durability. Atomicitymeans that a transaction should be done or undone completely. In theevent of a failure, all operations and procedures should be undone, andall data should rollback to its previous state. Consistency means that atransaction should transform a system from one consistent state toanother consistent state. Isolation means that each transaction shouldhappen independently of other transactions occurring at the same time.Durability means that completed transactions should remain permanent,e.g. even during system failure. Other transaction models may also bespecified in extended space schemas.

Extended space schemas may be XML documents that specify the messageinterface (e.g. XML messages) for using extended space features,functionality or facilities. A space may have a base schema and multipleextended schema. This may facilitate provided different levels ofservice to different clients depending upon the client authentication.

Besides extensions for space persistence, structure, and transactions,other space extensions may also be specified as desired. For example,extensions may be provided to manipulate advertisements at the elementor attribute level: read, write or take advertisement elements; read,write or take advertisement attributes; and subscribe for advertisementevent notification messages. A space may provide virtually any number offacilities and arrange them in base and extended schemas as desired. Inone embodiment, all base spaces must provide for advertisement reading,writing, taking, and lookup facilities, and space event subscriptions.

Various space facilities may be provided. In some embodiments, afacility may be provided for the establishment of a session with thespace. In one such embodiment, the rest of the space functionality isnot available until this is done. In other embodiments, the notion of asession is not provided for, or is optional and/or implementationdependent.

Another space facility may be to add or remove a service advertisementto or from the space. A space facility may also be provided for addingor removing an XML document (not an advertisement, but perhaps a resultin a space). The space service may check for uniqueness of an itembefore allowing the addition of the item. For example, each item addedto the space may be associated with a user-specified string thatidentifies the item and that may be used to check for the uniqueness ofthe item.

In one embodiment, a client may request a listing, tree, or otherrepresentation of all services advertised in the space. The user maythen scroll or maneuver through the advertisements and select thedesired service. A space may also provide a look-up facility that allowsa client to search for a service by providing keywords or string names.In one embodiment, a space facility may provide a mechanism to look up aspace entry that has been added to the space. The look up facility maysearch by string to match for name, or wildcard, or even database query.The look up facility may return multiple entries from which the clientmay select one or perform a further narrowing search. In one embodiment,the look-up facility may provide a mechanism to locate a serviceadvertisement matching a particular XML schema. The client may indicatea particular XML schema, or part of a particular XML, to be searched forwithin the space. Thus, a service may be searched for within a spaceaccording to its interface functionality.

Another space facility that may be provided in the distributed computingenvironment is a mechanism that allows services and clients to findtransient documents based upon a typing model such as XML. The mechanismmay be a general-purpose, typed document lookup mechanism. In oneembodiment, the lookup mechanism may be based upon XML. The lookupmechanism may allow clients and services to find documents in general,including services through service advertisements.

In one embodiment, a space lookup and response message pair may be usedto allow clients and services to find XML documents stored within anetwork transient document store (space). The space may be a documentspace used to store a variety of documents. In one embodiment, thedocuments are XML documents or non-XML documents encapsulated in XML.Spaces are further described elsewhere herein. The lookup messages maywork on any kind of XML document stored in the space, including serviceadvertisements and device driver advertisements. In one embodiment, aclient (which may be another service) may use a discovery mechanism asdescribed elsewhere to find one or more document spaces. Then, theclient may use space lookup messages to locate documents stored in thespace.

The distributed computing environment may include a mechanism thatallows services and clients to subscribe to and receive events about thepublication of XML documents. Events may include the publication of andremoval of XML documents to and from a transient XML document repositorysuch as a space. In one embodiment, an event may be an XML document thatrefers to another XML document.

In one embodiment, a space event subscription and response message pairmay be used to allow clients and services to subscribe for eventsregarding documents that are added to or removed from a space. In oneembodiment, an event subscription may be leased using the leasingmechanisms described elsewhere herein. In one embodiment, a subscriptionmay be cancelled when the lease is cancelled or expires. In oneembodiment, a subscription may be renewed by renewing the lease to thesubscription.

In one embodiment, an event subscription message may include an XMLschema that may be used as a document matching mechanism. Documents thatmatch the schema may be covered by the subscription. In one embodiment,any document added to a space and that matches the XML schema maygenerate a space event message.

A space facility may also be provided to which a client may register (orunregister) to obtain notification when something is added to or removedfrom the space. A space may contain transient content, reflectingservices that at added and removed from the space. A mechanism may beprovided to notify a client when a service becomes available or becomesunavailable, for example. A client may register with an event service toobtain such notification. In one embodiment, a client may register to benotified when a service having a name matching a specified string or aschema matching a specified schema (or schema portion) is added ordeleted from the space. Thus, a query to register with the space eventnotification facility may be the same as or similar to that of theservice look up facility described above.

When a client of a space subscribes to be notified when an XMLdocument(s) (e.g. service advertisement) is added or removed from thespace, the client may obtain a lease on this subscription tonotifications. The lease may allow the space service to know whether tocontinue sending notifications to a particular client. For example, alease to the notification facility may expire after an amount of time ifnot renewed. Note that a lease may not be required while a client hasestablished an active session with a space. Once, a client hasdiscontinued an active session with a space, it may continue to receiveevent notifications according to its event subscriptions as long as itscorresponding leases remain active. Refer to the Leases section below.

A client may subscribe to different types of events. Examples are aservice advertisement being added or removed from a space, as describedabove. A client may also be notified when results from a serviceinitiated by the client (or by someone else) are put in a space. Forexample, the client and the service may mutually select a name forreferring to the results of the service. The client may register withthe space service to which the results are to be posted or advertised toreceive an event when a result referenced by the selected name is addedto the space.

A space may generate different types of events to which a client maysubscribe. As the composition of a space changes, events may be producedto those clients and services that have subscribed for such events. Inone embodiment, there may be two major space event categories, thosethat pertain to the space (insertion and removal of advertisements), andthose used that indicate changes to an advertisement (adding, removing,changing an element or attribute). Which events are supported may beindicated in the XML message schema for the space.

The following events are examples of events that may be produced by aspace service to indicate an space or advertisement event:

TABLE 1 Space Events Event Name Type Meaning AdvertisementAdvInsertEvent New advertisement Insertion Event has been inserted intoa space Advertisement AdvRemoveEvent Existing advertisement RemovalEvent has been removed from a space Advertisement AdvElementInsertEventA new element has Element Insertion been added to an Event advertisementAdvertisement AdvElementRemoveEvent Existing element has Element Removalbeen removed from an Event advertisement AdvertisementAdvElementChangeEvent Existing element has Element Change been changedin an Event advertisement Advertisement Ele- AdvElementAttributeInsert Anew attribute has ment Attribute Event been added to an Insertion Eventelement Advertisement Ele- AdvElementAttribute Existing attribute hasment Attribute RemoveEvent been removed from an Removal Event elementAdvertisement Ele- AdvElementAttribute Existing attribute has mentAttribute ChangeEvent been changed in an Change Event element

Events may be typed. In some embodiments, the event facilities supportedby spaces may allow for event listeners to take advantage of, e.g., Javaclass (or XML types) hierarchies. For example, by listening forAdvElementEvent, the listener will receive events of typeAdvElementEvent and all of its sub-classes (XML types). Thus, for thisexample all events pertaining to element changes (though notadvertisement insertion and removal) are received.

By way of further example, subscribing to or listening for a top-levelevent class or type, e.g. SpaceEvent, will result in the reception ofall space events. Event class types may be distinguished via, forexample, the Java instanceof operator or the XML typing system.

An event may include a URI to the affected advertisement or element. Forexample, AdvertisementEvent and all its sub-classes may contain areference (e.g. URI or URL) to the affected advertisement.AdvElementEvent and its subclasses may be examined for the name of theaffected element. The previous element value (URI or URL), may beavailable, for example, from AdvElementRemoveEvent andAdvElementValueChangeEvent.

A space event type hierarchy for one embodiment is illustrated in FIG.21. Types may be defined in XML and usable in Java or any other suitableobject-oriented language such as C++.

A space may provide a facility for a client to instantiate a serviceadvertised in the space. Service instantiation is the initializationdone that allows a client to be able to run a service. On embodiment ofservice instantiation is illustrated in FIG. 22. To instantiate aservice, a client may first select one of the service advertisementspublished in the space, as indicated at 320. The client may use thevarious facilities, such as the look up facility, provided by the spaceto look up the various advertisements in the space. Then the client mayrequest the space to instantiate the service, as indicated at 322.

In one embodiment, service instantiation may include the followingactions. After the client requests the space service to instantiate theselected service, as indicated at 322, the space service may then verifythe client is allowed to instantiate the requested service, as indicatedat 324. The space service may perform this verification by examining anauthentication credential included in the clients message. Theauthentication credential is the credential the client received when itestablished a session with the space service. The space service mayverify if the client is allowed to instantiate the requested serviceaccording to the client's authentication credential and capabilitiesindicated for that client. See the Authentication and Security sectionherein.

Assuming the client is authorized, the space service may also obtain alease on the service advertisement for the client with the lease requesttime specified by the client, as indicated at 326. Leases are furtherdiscussed below. The space service may then send a message to the clientwhich includes the allocated lease and the service advertisement of theservice, as indicated at 328. In one embodiment, the client may run anauthentication service specified in the service advertisement and obtainan authentication credential, as indicated at 330. See theAuthentication and Security section herein for more information on anauthentication service. Next, as indicated at 332, the client mayconstruct a gate for the service (for example, using the authenticationcredential and the XML schema and service URI from the advertisement).Refer to the Gates section herein. The above described communicationbetween the client and space service is performed using the XMLmessaging of the distributed computing environment. The client may thenrun the service using the constructed gate and XML messaging. Theservice may similarly construct a service gate for XML messagecommunication with the client.

To summarize, an example use of a space is discussed as follows. Aclient may access (e.g., connect to) a space service. (A service may actas a client for the purpose of accessing or otherwise using a space.)The space service may store one or more service advertisements and/orother content in a space, and each of the service advertisements mayinclude information which is usable to access and execute acorresponding service. The space service may include a schema whichspecifies one or more messages usable to invoke functions of the spaceservice. For example, the schema may specify methods for readingadvertisements from the space and publishing advertisements in thespace. The schema and service advertisements may be expressed in anobject representation language such as eXtensible Markup Language (XML).In accessing the space service, the client may send information such asan XML message (as specified in the schema) to the space service at anInternet address. In accessing the space service, the client may searchthe one or more service advertisements stored in the space. The clientmay select one of the service advertisements from the space. In oneembodiment, the client may send an instantiation request to the spaceafter selecting the desired service advertisements from the space. Alease may be obtained for the desired service, and the lease and theselected service advertisement may be sent by the space service to theclient. The client may then construct a gate for access to the desiredservice. The desired service may be executed on behalf of the client.

Another facility provided by a space service may be the spawning orcreation of an empty space. This space facility may allow a client(which may be a service to another client) to dynamically create a newspace. In one embodiment, this space facility may include an interfacefor spawning an empty space with the same functionality (same XML schemaor extended schema) as the space from which it is spawned. This facilitymay be useful for generating (e.g. dynamically) spaces for results. Forexample, a client may spawn a space a request a service to place resultsor advertise results in the spawned space. The client may pass thespawned space URI and/or authentication credential to the service. Or aservice may spawn a space for results and pass the spawned space URIand/or authentication credential to the client. In some embodiments,once a space is spawned, it may be discovered just like other spacesusing one or more of the space discovery mechanisms described herein.

FIG. 41 is a flow diagram illustrating the spawning of a new space in adistributed computing environment according to one embodiment. Asindicated at 1900, a client may access (i.e., connect to) a first spaceservice. (A service may act as a client for the purpose of accessing orotherwise using a space.) The first space service may store one or moreservice advertisements and/or other content in a first space, and eachof the service advertisements may include information which is usable toaccess and execute a corresponding service. The first space service mayinclude a first schema which specifies one or more messages usable toinvoke functions of the first space service. For example, the firstschema may specify methods for reading advertisements from the firstspace and publishing advertisements in the first space. The first schemaand service advertisements may be expressed in an object representationlanguage such as eXtensible Markup Language (XML). In accessing thefirst space service, the client may send information such as an XMLmessage (as specified in the first schema) to the first space service ata first Internet address (e.g., URI). In accessing the first spaceservice, the client may search the one or more service advertisementsstored in the first space.

In one embodiment, spaces may include a facility for spawning newspaces. As indicated at 1902, the creation of a second space may berequested, such as by the client sending an appropriate request to aninterface of the first space. In one embodiment, the request may beformatted as an XML message according to the first schema for the firstspace. In response, a second space service with a second space may becreated, such as at a second Internet address (e.g., URI), as indicatedat 1904. As above, the second space service may include a second schemawhich specifies one or more messages usable to invoke functions of thesecond space service. The second schema may include at least the firstschema, and the second schema may include additional functionality aswell. In one embodiment, the schema of the second space may include aportion of the first schema, or the second schema may be specified atthe time of creation of the second space. As indicated at 1906, theclient may then access the second space by sending to the second spaceat least one of the messages specified in the second schema.

Spawning a space may include administration initialization, such as forsecurity. In one embodiment, when a requestor has just spawned a space,only the requester is initially allowed to access the spawned space.Such limiting of access to the spawned space may be useful when a clientand service are using that spawned space to store results. Refer to theAuthentication and Security section for more information on spawnedspace authentication and security. Once a client has spawned a newspace, it may build a gate to access the spawned space.

By using a mechanism in which a space may be created via an interface inanother space (e.g. a space spawning facility), new spaces may becreated efficiently. For example, in one embodiment, storage for thespawned space may be allocated using the same facility used by theoriginal space for storage. In one embodiment, the first space may storea first set of information, such as XML advertisements or other content,according to a particular storage model. Upon its creation, the secondspace is operable to store a second set of information according to thesame storage model. Also, a spawned space may share a common servicefacility with its original (or parent) space. For example, a new URI maybe assigned to the new space. In one embodiment, the new URI may be aredirection to a common space facility shared with the original space.Thus, a newly spawned space may use the same or some of the same servicecode as that of the original space. In other words, the first spaceservice may include a set of program instructions which arecomputer-executable to provide the first space. The second space servicemay include substantially the same set of program instructions, whereinthe set of program instructions are further computer-executable toprovide the second space.

Space facilities may also include security administration, for example,to update the various security policies of the space, and otheradministrative facilities. For example, the number and age ofadvertisements may be controlled and monitored by a root space service.Old advertisements may be collected and disposed. See, e.g., the Leasessection herein for when an advertisement may be considered old. Theservice implementing the space may be under the control of anadministrator. The administrator may set policy in a service dependentmanner.

Space facilities may also include a facility to delete an empty space.

Certain spaces may include facilities or services to further support theproliferation of certain clients, such as mobile clients. For example,services in spaces that a mobile client may discover, e.g. via thediscovery protocol, may provide support for mobile clients, such as:

-   -   Assigning and administering temporary network addresses for the        client.    -   Proxying message passing for the client.    -   Providing search facilities for additional spaces. For example,        a service may allow a client to specify keywords through a        simple interface. The service then uses the keywords in        conjunction with Web search engines to search for spaces on the        Web, as further described herein. In other embodiments, a search        service may constrain clients to searching only a few supported        spaces within the distributed computing environment.

As mentioned earlier (see FIG. 9 and accompanying text), spaces mayprovide a convenient mechanism for storing results from a service run bya client. Using a space for results may allow a small client to receivein pieces the results of running a service. Some services may generate alarge amount of results. By using a space to store the results from aservice, clients that do not have the resources to receive the fullresults at once may still use the service. Moreover, by using a space tostore results, a service running on a fast busy server may be freed frominteracting directly with a slow client when returning large results.Thus, the service may be freed sooner for use by other clients.

A space may provide a convenient mechanism for accessing a result bydifferent clients and/or at different times. For example, a client maynot be able to use the entire result, but a user may want to access therest of the result later using another client that can access it. Forexample, the result could be stock quote information, showing thecurrent price of a stock (accessible by a PDA), and showing a chart ofstock prices (accessible by a laptop later). Also, using a space in thedistributed computing environment for results may allow a client to feedthe result of one service into another service, without the necessity ofdownloading the result first. For example, in the case of the stockquote information above, the PDA could feed the chart into anotherservice, which prints the chart, without the PDA having to download thechart itself. Thus, a results space may provide a mechanism for a clientto pass to another client or service without the client having to handleor receive the results.

In different embodiments, the decision to use a space for results may bemandated by the service, mandated by the client, and/or requested by theclient. A service may suggest the use of a space for its results, e.g.,in its advertisement. In one embodiment, either the client or theservice may spawn a new space for results or use an existing space forresults. See the description herein regarding spawning spaces.

In one embodiment, the use of a space for results does not necessarilymean that the service must put all results in that space. There may bealternatives for any result a service generates. For example, part orall of the result may be sent in-line in a message to the client.Alternatively, the result may be put in the space, and then anotification message may be sent to client, referencing the result (e.g.including a URI to the result or to an advertisement for the result).Another option may be to put the result in the space, with notificationvia an event from the space. For example, the client and the service mayagree to call the result some particular name, and then the client mayregister with the space (using a space facility such as described above)to receive an event when a result so named is added to the space. Seethe description above on event notification.

Thus, several different mechanisms may be employed within thedistributed computing environment for a service to return results to aclient. The actual results may be returned to the client by value in anXML message, or results may be returned to the client by reference withthe actual results (or advertisement for the actual results) put in aspace and the client receiving a message referencing the results in thespace. Moreover, results, or results advertisements, may be placed in aspace and the client notified by event.

Another mechanism for handling results may be for the client to specifyanother service for the results to be fed to. For example, when a clientruns a service that will produce results, the client may instruct thatservice (e.g. through XML messaging) to send the results to anotherservice for further processing. This may involve the client indicatingthe URI of an advertisement for the other service so that theresult-producing service may generate a gate to the other service inorder to run the other service and pass it the results. In this example,the result-producing service may be a client of the other service. Insome embodiments, the client may send the schema or a pre-constructedgate to the result-producing service to access the service for furtherprocessing. An example of a service for further processing is a displayservice that may display the results for the original client. Thisdisplay service may be on or associated with the same device as theclient.

Result spaces and method gates may allow the distributed computingenvironment to provide a simple remote method invocation that ispractical for thin clients with minimal memory footprints and minimalbandwidth, because it need not have the adverse side effects of hugeprogram objects (along with needed classes) being returned (necessarily)across the network to the client as in conventional remote methodinvocation techniques. Instead, results may be returned to a resultspace, and only if desired (and if they can reside on the client) arethe actual objects downloaded to the client.

The mechanism by which the distributed computing environment may providefor remote method invocation is as follows (refer also to thedescription of method gates in the Gates section herein). An object maybe advertised (e.g. as a service or as part of a service) in a space.The advertisement includes a reference that contains the URI (e.g. URL)of the object, along with other access parameters, such as securitycredentials and XML schema. A client may have or may construct a clientmethod gate for the object, which for every method of the object (orservice) itself may have a wrapper method that takes the methodparameters and creates a request XML message to invoke a method of theobject. The XML message is sent to a service gate which invokes theactual method on the service object. When that method returns a resultobject, the service gate may post the result object in a results space,and may return a message to the client with a reference to the resultobject.

Thus, for a client to invoke a remote method, the client first sends amessage to instantiate an object (e.g. service), such as describedabove. In one embodiment, instantiation of an object may include thecreation or spawning of a result space. In another embodiment, resultspace creation may be independent from the object instantiation.Instantiation may return the object URI to the client, and the clientand service gates may be dynamically created when a client requestsinstantiation. In some embodiments, a result space may already exist andbe advertised by the object (service). Some part or all of the gates mayalso have been pre-constructed or reused.

Once a client has initiated an object, a local call of the appropriateclient method gate will affect a remote call to the actual remoteobject, as described above. The remote method invocation approach of thedistributed computing environment may be recursive, with objectreferences returned to the client, instead of the objects itself, whenthe client gate is called. Note that such returned objects may alreadybe instantiated. In some embodiments, the client may make a decision todownload an entire object itself, rather than just remotely invoke it.

A method or service invoked as described above may generate a child gatethat is associated with the results document. The method may return achild gate (or the schema, URI and credentials for the client toconstruct a child gate) for the references instead of the referencesthemselves. The client may then access the references through the childgate. The child gate may also be a method gate.

As described above, this remote method invocation provided by thedistributed computing environment allows the real result object(s) to bestored in a service results space (which also may be createddynamically, by a servlet for example). The results space may betemporary. The results space may act as a query results cache. Theresults cache may be patrolled by server software (garbage collector)that cleans-up old result areas. Distributed garbage collection may beemployed, as result spaces may fill up until they are destroyed by aclient indicating it no longer needs the space, or by an administratoron a server setting appropriate limits.

Turning now to FIG. 23, an illustration of a default space 350 isprovided. The distributed computing environment may provide at least onedefault space so clients can find an initial set of advertisements. Adevice may have a default space that exists locally, with a built-inpre-constructed gate. The services advertised in that default space mayexist locally on that device, and they may provide system software thatenables or facilitates the device's participation in the distributedcomputing environment.

The default space 350 may include one or more mechanisms 352 to locateexternal spaces, as shown in FIG. 23. One service in the default spacemay run the space discovery protocol described above to find externalspaces. Also, external spaces may be advertised in the default space.Additionally, a service (e.g. a search engine or a proxy service to asearch engine) may be advertised in the default space that determines orfinds external spaces. Each space may be analogous to a file systemmount point. Thus, the distributed computing environment may providesearchable, dynamic mount points to services. A default space may be aclient's initial mount point to the distributed computing environment.

A default space or access to a default space may be built in to adevice. Through the default space and local services that may exist onthe device, a client execution environment for the distributed computingenvironment may be provided. A device's local services and default spaceservice may have built-in pre-constructed gates. One of the built-inservices listed in the default space may be a service to run thediscovery protocol so that the client may locate additional (e.g.external) spaces. A default space may include a built-in service thatprovides an execution environment for clients that allows the clientuser to browse spaces, select, and then instantiate services. Such aservice may provide a simple user interface that allows a client toentire strings (e.g. keyword for space searches), view or browse resultreferences (e.g. space listings, or service listings within a space),select items (e.g. to chose and instantiate a service), etc.

Devices that primarily provide a service may also include a defaultspace and may include a built-in service in the default space thatallows a service to manage advertising itself in various spaces. Forexample, a device, such as a printer, may have a built-in defaultservice that finds (perhaps through the discovery protocol) a space on alocal area network and adds an advertisement for the printer service tothat space. This service may also maintain the printer serviceadvertisement within the LAN space, for example, by renewing its leaseor updating the printer's XML schema, etc.

For some devices that provide a service, the overhead of finding a spaceto advertise its service and maintain that advertisement is undesirable.In one embodiment, rather than searching for and maintaining a space orspaces to publish service advertisements, services on some devices maytransmit their advertisements in response to connection requests. Forexample, a printer device with a printer service that is available on aproximity basis may not maintain an advertisement in a space (on thedevice or external to the device). Instead, when another deviceestablishes a connection with the printer device (for example, a userwith a laptop running a client desires to print a document), the printerservice may transmit the service advertisement to provide the XMLservice schema for connecting to and running the service that providesprinting functionality on the printer device. Also, some devices mayonly maintain advertisements for their services in a certain vicinity orlocal network. Such a device may not desire to support or may not haveaccess to transports for broader accessibility.

One example of a service device in which it may be desirable for thedevice to avoid or limit maintaining service advertisements in a spaceis a device whose functionality is available on a proximity basis.Proximity-based services may provide advertisements of theirfunctionality upon request. These advertisements may not be broadlyaccessible. For example, proximity-based services may be provided in awireless communications system. The term “wireless” may refer to acommunications, monitoring, or control system in which electromagneticor acoustic waves carry a signal through atmospheric space rather thanalong a wire. In most wireless systems, radio-frequency (RF) or infrared(IR) waves are used. Typically, in proximity-based wireless systems, adevice comprising a transceiver must be within range (proximity) ofanother device to establish and maintain a communications channel. Adevice may be a hub to connect other devices to a wireless Local AreaNetwork (LAN).

As mentioned, embodiments of the distributed computing environment mayprovide a mechanism using a lookup space that allows clients torendezvous with services. In a proximity computing environment, oneembodiment of the distributed computing environment may provide aservice discovery mechanism that clients may use to discover serviceswithout using lookup spaces as rendezvous points. An example of aproximity computing environment is an IrDA point-to-point communicationsenvironment. In a proximity computing environment, the proximitymechanism may find the “physical” location of the service for theclient. For example, in an IrDA environment, the client device may bephysically pointed at the device including the service(s) that theclient desires to use.

The proximity service discovery mechanism may enable the client todirectly look for service advertisements rather than sending a lookuprequest to a lookup space to look for service advertisements. Since theclient device may have established a proximity connection to the servicedevice, the client may directly request the desired service. Forexample, a PDA client device may establish a proximity connection to aprinter device; the client may “know” to request a printer serviceconnection on the printer device.

In one embodiment, the client may send a proximity service discoverymessage to the service device. The message may include information thatmay specify a desired service on the service device to which the clientdevice has a proximity connection. In one embodiment, a service on theservice device may respond to the proximity service discovery message,and may send to the client the service advertisement that the client mayuse to connect to the desired service. The proximity service discoverymessage may also include information that may be used to authenticatethe client and to establish the client's capabilities on the service.Using the received service advertisement, the client may establish agate to establish communication with the desired service.

Nevertheless, it may still be desirable to publish advertisements forservices that do not desire to or cannot maintain their advertisementsin a space that is broadly accessible. In one embodiment of adistributed computing environment, a device that establishes aconnection with a device that does not publish its serviceadvertisement(s), such as a proximity-based device, may publish serviceadvertisements received from the non-publishing device. For example, adevice that establishes a connection with a proximity-based device andthat has an alternate transport connection(s) may publish (or republish)service advertisements received from the proximity-based device in thealternate transport environment, thus allowing the proximity-baseddevice service(s) to be used by other devices (through the (re)publishedservice advertisements) which are outside the normal proximity range ofthe device.

The publishing device may locate a locally published serviceadvertisement for the proximity-based device through a discovery and/orlookup service, or alternatively the service advertisement may not bepublished by the local service device, but instead may be sent to thepublishing device by the local device upon the establishment of aconnection, as described above. In one embodiment, the republishedservice advertisement may be made available as long as the devicemaintaining the advertisement is connected to or able to connect to thelocal device. For example, if the publishing device is disconnected fromthe local device (for example, moves out of proximity range of thedevice), the service advertisement may be made stale or removed. A leasemechanism may be provided to allow the space containing theadvertisement to send lease renewal messages to the publishing device.The publishing device may verify its connection to the local device,thus allowing the space to detect when the local device is no longeravailable. Rules for how the service advertisements are republished maybe provided by the local device or by an administrative policy for thelocal vicinity (e.g. proximity area) or local network.

FIG. 24 illustrates an example of a device bridging proximity-baseddevices onto another transport mechanism to allow the services providedby the proximity-based devices to be accessed by devices outside theproximity range of the devices, according to one embodiment. Apublishing device 1404 may be connected to a network 1412, such as anEthernet LAN or the Internet, etc., and may establish and maintainproximity connections 1414 with proximity devices 1400 and 1404.Proximity connections may be wireless connections or wired LANconnections, for example. Proximity devices 1400 and 1402 may each senda service advertisement to the publishing device 1404 upon connection,or, alternatively, the publishing device may locate the serviceadvertisements using a discovery and/or lookup service for the proximityconnections. The publishing device 1404 may then make the servicesprovided by the proximity devices available to other devices 1408 and1410 on the network 1412 by republishing the service advertisements 1416and 1418 in space 1406. Space 1406 may be stored on the publishingdevice or on other devices connected to the LAN (including devices 1408and 1410).

Other devices on the LAN including devices 1408 and 1410 may thendiscover space 1406 and look up the republished service advertisements1416 and 1418 for the proximity-based devices, establish gates tocommunicate to those services (device 1404 may act as a proxy or bridge)on the proximity-based devices 1400 and 1402 using the XML messagepassing methods described previously, and send requests and receiveresults to the proximity devices. Publishing device 1404 may act as abridge between the network 1412 and the proximity connections 1414 tothe proximity-based devices.

Leases

Leases may be used in the distributed computing environment to deal withpartial failure, resource synchronization (scheduling), and to providean orderly resource clean-up process. Leases may help the overalldistributed system manage independent clients and services that may comeand go. The various resources that clients obtain from services(including space services) may be leased from those services. Ingeneral, not every resource can or needs to be leased. In oneembodiment, it is up to the implementation of each particular service todetermine which of its resources need to be leased. In particular,resources used by a large amount of clients simultaneously may not needleasing or instead may require custom leasing protocols. This class ofleasing may be left to the service provider. Custom protocols, such asthose to implement transactions for example, may be built upon the baseleasing scheme. In one embodiment, the base leasing model is a relativetime-based model.

Services may issue leases to clients and provide operations on thoseleases. In one embodiment, all such lease functionality of a service ispart of that service's XML schema. Thus, a client may use its gate(corresponding to the service and constructed for the service's XMLschema) to perform lease operations. In one embodiment, all servicesthat issue leases provide the following lease operations (only allowedby the owner of the lease): (i) renewing a lease (parameters specified:lease (e.g. lease ID, lease credential), new lease time requested), and(ii) canceling a lease (parameter specified: lease (e.g. lease ID, leasecredential)). In one embodiment, all leases are granted for a particularamount of relative time (duration of lease) that may be negotiated. Therequestor may specify a certain amount of time (e.g. in seconds), andthe grantor may grant the lease for any amount up to that time. In oneembodiment, a −1 value may be used to specify an indefinite lease.

The leasing mechanism may provide a mechanism to detect service andclient failure. Leases may also provide a mechanism to provide sharedand exclusive resource access. In one embodiment, all service resourceseither have no lease (resource is not leased and therefore available), ashared lease (resource accessed by multiple clients), or an exclusivelease (resource is accessed by exactly one client at a time). In oneembodiment, all resources begin in the no lease state. A no lease statesignifies there is no current access to the underlying resource, andindicates that there is an interest in the resource remaining inexistence and thus available for leasing. The leasing level may beincreased from none to shared, none to exclusive, or shared toexclusive. Lease isolation levels may also be decreased from exclusiveto shared, exclusive to none, and shared to none. In one embodiment,clients may voluntarily increase or decrease the lease isolation level,or may be requested by the service to do so. A response message from theservice may indicate if the isolation level change was accepted.

Request-response message pairs may be employed to claim, release, andrenew a lease. Each message may be tagged using a reserved XML tag toindicate that the message is a leasing message. The complete compositionof the message isn't necessarily defined by the distributed computingenvironment. In such an embodiment, service developers may append custommessage content, as long as, the message is tagged as a leasing message.

In one embodiment, clients that use leased resources may be expected to:(i) claim the resource as shared or exclusive, (ii) release the resourceclaim (if requested or if finished with resource), and (iii) respond torenewal messages (with another claim at same or different isolationlevel). Renewal messages may be sent (e.g. in regular intervals) byservices to detect client failure cases. The interval (at which therenewal message is sent) may be service specific. If a response to therenewal message isn't issued after a specific amount of time (e.g. basedon a time noted in the service advertisement), a resource reclamationprocess may begin within the service, revoking the lease completely. Insuch an embodiment, renewal messages sent to clients should be handledin a timely fashion. FIG. 25 illustrates the use of renewal messagesboth between a client and an instantiated service and between a serviceprovider and a space service. Note that both cases may be considered asthe use of renewal messages between a client and a service, since aservice provider may be a client to a space's advertisement service.

Renewal messages may arrive in an “out of band” fashion that may beinconvenient for the client to handle. That is, the client cannotpredict when a renewal message will be sent from the service. Out ofband message handling may complicate the client's logic and increate itscomplexity. To solve this problem, an automatic lease renewal mechanismmay be implemented to relieve the client of the responsibility ofhandling the out of band messages, and thus reduce client complexity. Inthe automatic lease renewal mechanism, each gate (message, method,and/or event gate) may receive renewal messages and automaticallyrespond to them without help from the client. The default response to arenewal request is to claim the lease at its current level. Each messagegate may contain a single, set-aside renewal response message that isautomatically sent to the advertisement space service when the gatereceives the renewal message. This “out of band” message is handled onbehalf of the client, yielding a cleaner client programming model. Inone embodiment, the gate may allow clients to register lease eventhandlers to specify different isolation levels in the response message.

The leasing mechanism may also provide a mechanism to detect staleadvertisements. When a service publishes its advertisement in a space,that service obtains a lease on this publishing of its advertisement.Each advertisement may contain a time by which the service promises torenew the advertisement. In one embodiment, all time-out values arespecified in seconds. If the service continues to renew its lease, thespace is provided some assurance that the service advertised is stillbeing offered. The renewal time may be counted down towards zero by thespace service. If the service does not renew its lease, the service mayhave failed, or it may no longer wish to, or be able to provide theservice. When the lease is not renewed, the space service marks theservice advertisement stale, so it does not make it available toclients. Services renew advertisements by sending a renewal message tothe space. The space service receives these messages and re-sets theadvertisement renewal time back to its initial value.

In one embodiment, stale advertisements are not automatically deleted.Depending upon the policies of the space, it may choose to delete staleservice advertisements that have expired for a reasonably long period oftime. The deletion policy may be set by the space service. The spaceservice may search for stale advertisements and either delete them orbring them to the attention of an administrator, for example.

In addition to detecting stale advertisements, the space service may useleases to manage the resources its facilities provide to clients(including other services) of the space. For example, when a clientdesires to use a service, the space service may request a lease for theclient as part of service instantiation. Service instantiation may beperformed to allow a client to run a service. To instantiate a service,a client may first select one of the service advertisements published ina space. The client may use the various facilities provided by the spaceto look up advertisements in the space. Then the client may request thespace to instantiate the service. The lease acquired during serviceinstantiation is on use of the service advertisement (not the same asthe lease on publishing of the service advertisement). It should benoted that the space service may allow multiple clients to have a leaseon use of a service advertisement if the advertisement has an indicationit is shared. Otherwise, the space service only allows one client at atime to have a lease on the service advertisement (exclusive).

Another example of how a space service may uses leases to manage theresources its facilities provide to clients is when a client of thespace registers to be notified when XML documents (e.g. serviceadvertisements) are added or removed from a space. The registeringclient of the space may obtain a lease on this subscription tonotifications. This lease enables the space service to know whether tocontinue sending notifications. Such a lease may not be necessary when aclient has established an active session with the space. Also, note thatwhen a client of a space (could be a service) establishes a session withthe space, the client may obtain a lease on the session. This allows thespace to manage any resources associate with the session.

In another embodiment, the distributed computing environment may employa leasing mechanism that is not time-based. The lease may be generatedwhen an object is claimed for use. Instead of a time-based mechanism,the claim method may accept a callback that notifies the currentleaseholder that some other party wishes access the same object (e.g.service). Thus, as an alternative embodiment to time-based leases,instead clients may make claims on space objects (e.g. services).Whenanother client desires a lease that is incompatible with the currentleaseholder's, the service may send a “callback message” to the client.Upon receiving the callback message, the client (i.e. client gate) mayinvoke a callback method to decide on a response to the callback message(keep the lease, cancel the lease, change the access level to shared,etc.). Once a response has been determined, the client gate sends aresponse message to the service. This distributed mechanism for managingleases may be implemented using the XML message-passing layer.

Authentication and Security

The distributed computing environment provides for spontaneous andheterogeneous distributed systems based upon an asynchronous messagepassing model, where data and/or objects may be represented in arepresentation language such as XML. In the distributed computingenvironment, clients may connect to services throughout the Internet,for example. The distributed computing environment may enable largenumbers of network devices to work together in a reliable, dynamic, andsecure fashion. The distributed computing environment may define aprotocol that substantially enables interoperability between compliantsoftware components (clients and services).

In the context of the distributed computing environment, a device may bea networking transport addressable unit. Clients and services may beimplemented as Universal Resource Identifier (URI) addressable instancesof software or firmware that run on devices.

Internet space is inhabited by many points of content. A URI is a methodused to identify any of those points of content, whether it be a page oftext, a video or sound clip, an image, software, firmware or otherInternet content. The most common form of URI is the Web page address,which is a particular form or subset of URI called a Uniform ResourceLocator (URL). A URI typically describes the mechanism used to accessthe resource, the specific computer that the resource is housed in andthe specific name of the resource (typically a file name) on thecomputer.

Clients and services (both may be implemented on devices as softwareand/or firmware) may be connected over the Internet, a corporateintranet, a dynamic proximity network, within a single computer, or byother network connection models. The size and complexity of the devicessupporting clients and services may range, for example, from a simplelight switch to a complex, highly available server. Example devicesinclude, but are not limited to: PDAs; cellular phones; notebook,laptop, and more powerful PCs; and more powerful computer systems, up toand including supercomputers. In some embodiments, the distance,latency, and implementation of clients and services may be abstracted,with a common discovery and communication methodology, creating a “blackbox” effect. This definition approach allows software implementationissues to be dealt with by the underlying platform, yielding a looselycoupled system that may be scaled to Internet proportions.

The distributed computing environment may provide an Internet-centricprogramming model including WEB and XML content representation, dynamicdevice discovery, and secure device communication that is accessiblefrom a wide range of network devices. The distributed computingenvironment may include a network programming model abstracted above theCPU level. The programming model may include the following properties:

-   -   URI addresses    -   Strongly typed data called content (addressed with URIs)    -   Substantially unlimited amount of persistent content storage        (e.g. stores), (containing XML and non-XML content, such as that        identified by MIME types)    -   Substantially unlimited amount of transient content memory        called spaces (containing L content)    -   Descriptive XML metadata (data about data) content        advertisements that may be stored in a space to notify        interested clients.    -   A substantially unlimited number of instructions (embodied as        messages)    -   Secure message endpoints (gates) addressed by URIs    -   Data flow support (event messages) to coordinate work flow        between distributed software programs

Services and clients may run as programs within the distributedcomputing environment. Services may advertise their capabilities toclients wishing to use the service. Clients may or may not reside withinthe same network device, and that device's code execution environmentmay or may not support the Java platform.

Using URIs to address content and message endpoints gives thedistributed computing environment a powerful addressing scheme. Theaddress may specify the location of the content or endpoint, and mayspecify the route (or transport protocol) to be used. Items addressedusing URIs also may have an associated security credential. The securitycredential may be used to control what clients are allowed access to theitem, as well as which operations authorized clients are allowed toperform on that item.

The high degree of access provided by the distributed computingenvironment may be controlled by appropriate authorization and securitysystems and methods. Authentication and security in the distributedcomputing environment may include, but are not limited to: verifying thetyping correctness of XML content in a message; securely identifying thesender to the receiver; a mechanism to check the integrity of messagessent from a client to a service and vice versa; and a mechanism ofdescribing a service's set of accepted messages to a client andenforcing the message requirements on messages received at the service.The above listed security and authorization features may be leveraged ina single, atomic unit of code and data. The atomic unit of code and datamay be dynamically created. In one embodiment, once created, the atomicunit of code and data may represent a message endpoint (gate), and maynot be altered as to the security and authorization policies implementedduring creation.

A gate may represent the authority to use some or all of a service'scapabilities. Each capability may be expressed in terms of a messagethat may be sent to a service. Gates may also be used for failure casedetection when a client leases resources.

Authorization and security may also include a mechanism for verifyingthat a client attempting to use a service is authorized to use theservice; that the space from which the client receives the serviceadvertisement from is authorized to provide the service advertisement;and/or that the service advertisement itself is authorized.

Message passing may be implemented in a messaging layer as the means ofcommunicating requests from clients to services and of the servicesresponding with results to the clients. The messaging layer of thedistributed computing environment may substantially guarantee that validXML messages are sent, and may provide mechanisms enabling alanguage-independent security model. In the messaging layer, a sendingmessage endpoint may be linked to a receiving message endpoint. The twoassociated message endpoints may provide a secure, atomic,bi-directional message channel suitable for request-response messagepassing between a client and a service.

In embodiments of a distributed computing environment, an advertisementmay be published in a space for a service. An advertisement may be anXML document that includes the XML schema and URI of the service. Theservice may also include a service ID token or credential in theadvertisement, and may specify in the advertisement an authenticationservice to be used by both the client and the service. A client may thenlocate the service advertisement on the space, and use the advertisementto instantiate a message gate on the client. The client may use theauthentication service specified in the advertisement to obtain anauthentication credential for sending in messages to the client. In oneembodiment, the client may pass the service ID token or credential fromthe service advertisement to the authentication service, and theauthentication service may then use the service token or credential togenerate the authentication credential for the client. In oneembodiment, the client may include a gate factory that receives thenecessary information to create the message gate, and the gate factorymay construct the message gate and communicate with the authenticationservice to obtain the authentication credential for the client. Acorresponding service message gate may be instantiated at the service.

The client, at some point, sends a first message to the service. In oneembodiment, the client message gate may embed the client'sauthentication credential constructed by the authentication service inthe message. When the service receives the message, it may use the sameauthentication service to verify the authentication credential receivedin the message. By sharing the same authentication service, any of avariety of authentication protocols may be employed, with the details ofgenerating the authentication credentials separated from the client andthe service. Thus, a client may use different authentication credentialprotocols with different services.

In one embodiment, the authentication service may determine thecapabilities of the client (e.g. what the client is allowed to do on theservice) upon first receiving the client authentication credential fromthe service. The capabilities of the client may be bound to the client'sidentity. Then, the client's message gate may embed the authenticationcredential in every message sent from the client to the service. Themessages may be received by the service message gate and then checked bythe authentication service to ensure that the message is from the clientand that the message request is within the capabilities of the client.In another embodiment, capability determination and message checking forcapabilities may be handled by the service message gate without usingthe authentication service.

The client and service message gates may work together to provide asecure and reliable message channel. The gates may serve as securemessage endpoints that allow the client to run the service by sendingand receiving secured, authorized XML messages to and from the service.

Operations in the distributed computing environment may be embodied asXML messages sent between clients and services. The protocol used toconnect clients with services, and to address content in spaces andstores, may be defined by the messages that can be sent between theclients and services. The use of messages to define a protocol mayenable many different kinds of devices to participate in the protocol.Each device may be free to implement the protocol in a manner bestsuited to its abilities and role.

A service's capabilities may be expressed in terms of the messages theservice accepts. A service's message set may be defined using an XMLschema. A XML message schema may define each message format using XMLtyped tags. The tag usage rules may also be defined in the schema. Themessage schema may be a component of an XML advertisement along with theservice's message endpoint (gate) used to receive messages. Extensions(more capabilities) may be added to services by adding messages to theXML message schema.

In the distributed computing environment, authorized clients may be ableto use all of a service's capabilities, or may be limited to using asubset of the service's capabilities. In one embodiment, once a set ofcapabilities has been given to a client, the client may not change thatset without proper authorization. This model of capability definitionmay allow for services levels that run from a base set of capabilitiesto an extended set.

Service instantiation may be performed to allow a client to run aservice. To instantiate a service, a client may first select one of theservice advertisements published in a space. The client may use thevarious facilities provided by the space to look up advertisements inthe space. Then the client may request the space to instantiate theservice. Service instantiation may include, but is not limited to, thefollowing steps:

-   -   1. Client requests space service to instantiate a service.    -   2. Space service verifies client is allowed to instantiate the        service.    -   3. Space service obtains a lease on the service advertisement        for the client with the lease request time specified by the        client. Alternatively, the service advertisement may be provided        to the client without using the leasing mechanism.    -   4. Space service sends a message to the client that includes the        lease allocated in steps 3, and the service advertisement of the        service.    -   5. Client runs the authentication service specified in the        service advertisement, and obtains an authentication credential.    -   6. Client constructs a client message gate for communicating        with the service.

In order to provide trust between clients and services in thedistributed computing environment, a series of dynamically generatednumbers (keys, or tokens) may be used as security or authenticationcredentials for clients. One or more credentials may be used to verifythe right of a client to use a service and to verify messages betweenthe client and the service. Each client and service may have a uniquecredential.

The type of authentication credential needed to use a service may bereturned to the client conducting a service search. In one embodiment,an authentication credential is an opaque object that must be presentedeach time a client uses a service. In one embodiment, the authenticationcredential may be presented by a message gate on behalf of a client inevery message sent to a service. No matter what kind of authenticationcredential is required by a service, by using an authentication serviceexternal to the client and the service, the client and the service maynot need to be aware of the authentication credential structure or ofthe authentication process.

An authentication credential may also include a transport-specificticket in addition to the service ticket. When running a service,depending upon the networking transport specified in the serviceadvertisement, the transport may provide a secure connection. In somecases, if the data link layer is already secure, it may not be necessaryto use a secure transport over the already secure data link layer.

The concept of an authentication credential is abstract enough to allowvarious levels of security based upon credential implementation. Levelsof security may include, but are not limited to:

-   -   1. None (no message security—credential is empty or no        credential)        -   Messages with empty credentials or no credentials may be            sufficient when security is enforced by the physical            connectivity properties of the transport. For instance, a            smart light switch connected to just one light switch            controller is secure because the switches are wired in a            secure manner.    -   2. Signed messages (digital signatures)        -   Signed messages may include a digital signature that enables            the service (receiving the message) to verify the origin            (client) of the message.    -   3. Encrypted messages (transport may handle this)        -   Encrypted messages add another level of security by            scrambling the message contents so that another credential            is required to unscramble it.    -   4. Capability messages (service functionality and user aware)        -   This level of security may provide for security capabilities            on a user-by-user basis (e.g. what the user is allowed to            do), and may allow for fine-grained access control to            services and individual service functions.

Multiple levels of security zones may be used, due to the heavyweightimplementation necessary to enforce the higher levels of security(capabilities & encryption). If the message transport supports (or helpssupport) these security levels, the support may be leveraged to providesecurity level bridge services that bridge one level of security toanother.

As mentioned above, services without any security model may accept emptyauthentication credentials. For services that do not restrict access, agate may be built without an authentication credential or with an“empty” authentication credential. The gates for such services may notsend an authentication credential with each message, or may send anempty credential. The authentication service is one example of a servicethat may not restrict access. Other services may require a user andpassword pair.

In some embodiments, a mechanism for verifying that a client attemptingto run a service, for verifying that the service advertisement receivedby the client is an authorized service advertisement, and for verifyingthat the space from which the client received the service advertisementis authorized may be based upon a public key/private key asymmetriccryptographic mechanism. In this mechanism, an authorized sending entitymay embed a public key in a message and encrypt the message includingthe public key with its private key. An entity receiving the encryptedmessage may decrypt the message using the public key and find the samepublic key embedded in the decrypted message, and thus verify that themessage is from the authorized entity, since only that entity has theprivate key necessary to encrypt the message. Thus, an entity may issuea credential that is substantially unforgeable, and that other entitiesmay decrypt (with the appropriate public key) to verify messages sent bythe entity.

A Kerberos ticket is one example of a security credential that may beused in the distributed computing environment. Kerberos is a securemethod for authenticating a request for a service in a computer network.Kerberos lets a user request an encrypted “ticket” from anauthentication process that can then be used to request a particularservice. The user's password does not have to pass through the network.

Mechanisms may be provided by the distributed computing environment tosubstantially guarantee that messages sent between clients and servicesare not compromised. In one embodiment, a sender may embed a tokencontaining information that may be used by the receiver to verify thatthe message has not been altered. There are several methods forgenerating the information to embed in the message. In one embodiment, ahash of the message may be computed and sent with the message. Hashingmay include the transformation of a string of characters into a usuallyshorter fixed-length value or key that represents the original string.Upon receiving the message, the receiver may recompute the hash andcheck it against the sent hash. If the message has been altered, it ishighly unlikely that the same hash will be generated. The sender mayencrypt the hash and send the corresponding public key in the encryptedmessage to substantially ensure that the hash is not compromised.

In other embodiments, an error detection scheme such as cyclicredundancy checking may be used. Cyclic redundancy checking is a methodof checking for errors in data that is transmitted on a communicationslink. In an embodiment using cyclic redundancy checking, the senderapplies an n-bit polynomial to the message and appends the resultingcyclic redundancy code (CRC) to the message. The receiver applies thesame polynomial (which may also be passed in the message) to the messageand compares its result with the result appended by the sender. If theyagree, the message has been received successfully. If not, the sendermay be notified to resend the message.

Gate factories may also play a role in security, since a gate factorymay be “trusted” code. Using a trusted gate factory to generate gatesmay help to ensure that gates are trusted code, and that the code iscorrect with respect to the service advertisement. Clients may berequired to present a client ID token or credential to the gate factoryas a means of authentication. Services may present a service ID token orcredential to clients (e.g. through an advertisement) when a clientwishes to create a gate. As discussed herein, a client and service tokenpair may be used to create a third credential that may be used to allowthe client to send messages to the service. This third credential may bereferred to as an authentication credential. An authenticationcredential may be created by an authentication service during theauthentication process. In one embodiment, the service may use anyauthentication policy at its disposal. In one embodiment, theauthentication service administers the authentication policy on behalfof the service, and thus the service does not have to be aware of theparticular authentication policy being used.

The client may construct its gate using an authentication credentialthat the client receives by running an authentication service specifiedin the service advertisement. This may allow the constructed gate tosend the authentication credential with each message to the service.When the service receives the first authentication credential in a firstmessage from the client, the service may use the authentication servicespecified in the service advertisement to authenticate the client, andthus may establish a binding of the authentication credential to theidentity of the client.

As previously discussed, some results produced by a service may beadvertised in a space and ultimately accessed using a results gate. Theresults gate may or may not contain the same security credential as theinput gate used to generate the results. Because input to a service maybe asynchronous from its output (the results), the results may have adifferent set of access rights associated with it. For example, apayroll service may allow a different set of clients to initiate payrollthan to read the payroll service's results (paychecks). Thus, a clientmay have to go through a separate authentication process to obtainaccess rights to the results, which may include receiving anauthentication credential for the results from an authentication servicespecified in an advertisement for the results.

Message gates may offload most security checks from services. Servicesmay focus on providing capability and authenticating clients. Aprinciple of least privilege may be supported by giving clients accessto only those capabilities that are requested (or assigned).

Security checks may occur when a gate is created and/or when a gate isused (when messages are sent and/or received). When a client requestsaccess to an advertised item (service), the process of gate creation maybegin. During this process, the client gate factory may work with theservice to mutually authenticate each other. The checks performed atgate creation time may be extensive, and may minimize the number ofchecks performed during gate usage. After the service has authenticatedthe client, the service may determine specific capabilities for theclient (e.g. what the client is allowed to do on the service), andassociate the capabilities with the client's authentication credential.These specific capabilities may specify what operations the client isallowed to perform on the service. Since the gates may ensure that everymessage contains the authentication credential, the service can thencheck each request when it is received against the capabilities of theauthenticated client.

Gate creation checks may ensure that a client has permission to use someor all of the service capabilities designated by the XML message schema.In one embodiment, these checks may be implemented using access controllists (ACLs) in conjunction with an authentication service such asKerberos. A challenge-response sequence (such as a password) may also beused to authenticate a client.

In one embodiment, whatever means is used to authenticate the client,the authentication may be invisible to both the client and service, thegate factory may be aware of which authentication service to use, andthe authentication service handles the authentication mechanism andpolicies. Gate factories may be product and environment dependent, ormay even be controlled by a configuration management system. In oneembodiment, the degree and method of client isolation may be platformdependent, but is known to the gate factory.

Message gates in the distributed computing environment are typicallyassociated with a single client. The means of association may bedetermined by the gate factory. The checks performed at message sendtime may ensure that the proper client is using the gate. In oneembodiment, gates may be passed in messages, and may be cloned if a newclient wishes to use the gate. The cloning process may perform a new setof creation checks.

Once a client of a space (the client may be another service) finds theadvertisement of a space service, the client of the space may run thespace service, as it would any other service. Running a space servicemay involve using an authentication mechanism. Running a space servicemay include, but is not limited to:

-   -   1. The client of the space may first run an authentication        service that may be specified in the service advertisement of        the space service to obtain an authentication credential.    -   2. The client of the space may use the authentication        credential, the XML schema of the space (from space's service        advertisement), and the URI of the space (from space's service        advertisement) to construct a gate for the space. In one        embodiment, the client may pass the information to a gate        factory to construct the gate.    -   3. The client of the space may run the space service by using        the gate to send messages to the service.    -   4. When the space service receives the first message from the        client, with the authentication credential embedded, the space        service may use the same authentication service used by the        client to obtain the authentication credential to authenticate        the client, thus establishing the client's identity.    -   5. The space service may then determine the client's        capabilities (e.g. what the client is allowed to do on the space        service) and bind the capabilities to the authentication        credential.

As discussed in the Spaces section, a space's facilities may include aninterface for spawning an empty space with substantially the samefunctionality (same XML schema) as the space from which it is spawned.The spawning facility may be useful, among other things, for dynamicallygenerating spaces for results.

FIG. 42 is a flow diagram illustrating the secure spawning of a newspace in a distributed computing environment according to oneembodiment. As indicated at 1950, a client may access (e.g., connect to)a first space service. (A service may act as a client for the purpose ofaccessing or otherwise using a space.) As indicated at 1952, thecreation of a second space may be requested, such as by the clientsending an appropriate request to an interface of the first space. Aclient (including a service acting as a client of a space service) whichrequests creation of the space may be referred to as the requestingclient. In response, a second space service with a second space may becreated at a second Internet address, as indicated at 1954. As above,the second space service may include a second schema which specifies oneor more messages usable to invoke functions of the second space service.The second schema may include at least the first schema, and the secondschema may include additional functionality as well.

The second space may initially be configured to permit access only tothe requesting client. In one embodiment, as indicated at 1956, a rootauthentication token is created for the second space. Also as indicatedat 1956, an authentication service associated with the second space maybe initialized, whereby the second space is configured to permit accessonly to a client holding the root authentication token. As indicated at1958, the root authentication token may be sent to the requesting clientor service. As indicated at 1960, the requesting client may then accessthe second space by sending to the second space at least one of themessages specified in the second schema and by using the rootauthentication token.

In one embodiment, therefore, when a requestor has spawned a space, onlythe requestor may be allowed to access the spawned space. For example,the spawned space may be for storing results from a service that theclient needs to keep secured. In one embodiment, this security may beensured by:

-   -   As indicated at 1956, creating an initial root authentication        token, and initializing the authentication service of the        spawned space, so that the authentication service only        authenticates the root authentication token, and so that it        returns no other authentication tokens (no other clients of the        spawned space allowed initially).    -   Initializing the security policies of the spawned space so that        the root identity associated with the root authentication token        has access to all facilities of the space, including the        security administration facilities.    -   As indicated at 1958, returning the root authentication token        and the service advertisement of the spawned space to the        requestor of the spawned space.

The requestor may build a gate to access the spawned space, since it isreturned the authentication credential and the service advertisement ofthe spawned space. In one embodiment, only the requestor and clients orservices that the requester passes the authentication credential and thespawned space's service advertisement may access the spawned space. Suchlimiting of access to the spawned space may be useful when a client andservice are using that spawned space to store results, for example, ifthe client and service desire to keep the results private.

In one embodiment, the requesting client may send the rootauthentication token to a second client (including a service acting as aclient of the space service). The second client may then access thesecond space by sending to the second space at least one of the messagesspecified in the second schema along with the root authentication token.

After running a service, the client may change the authenticationpolicies of the spawned space using a security administration spacefacility, and other clients or services may then access the spawnedspace. The other clients may then have access to the second spaceservice, so that, for example, the other clients may read serviceadvertisements from the second space. In addition, the spawned space'sservice advertisement may be made available to other clients of thespawned space (the other clients may be services) using the discoveryprotocol or other means.

The message transport layer in a distributed computing environment mayinclude mechanisms for protecting the security and integrity ofcommunications among clients and services during transport. Thissecurity may be referred to as “wire security” or “transport security”to distinguish it from the authentication security implemented by themessaging system including gates. Encryption of messages may be providedat the message transport layer of the distributed computing environment.Services that request an encrypted transport may do so by tagging theXML advertisement. The gate factory may then create a gate (or gates)that uses a secure message transport such as those provided by Bluetoothand HTTPS.

HTTPS (Secure Hypertext Transfer Protocol) is a Web protocol thatencrypts and decrypts user page requests as well as the pages that arereturned by the Web server. HTTPS uses a 40-bit key size for the RC4stream encryption algorithm, which is considered an adequate degree ofencryption for commercial exchange. HTTPS may be used as a transport inthe distributed computing environment.

Bluetooth is an emerging peer-to-peer wireless communications standard.The Bluetooth key generation algorithms may be used in the distributedcomputing environment. Bluetooth may support encryption keys. Encryptionkeys are transport dependent, while client, service, and combinationkeys may be transport independent.

FIG. 26 a—An Authentication Service Providing an AuthenticationCredential to a Client

FIG. 26 a is a flow diagram illustrating an authentication serviceproviding an authentication credential to a client according to oneembodiment. A client in the distributed computing environment may desirea service to perform one or more functions on behalf of the client. Inone embodiment, an authentication service may be provided for use by theclient and the service when setting up a secure messaging channel. Anauthentication service may perform functions for the client and/orservice including authenticating the client and/or service andnegotiating the desired level of security and the set of messages thatmay be passed between the client and service. The authentication servicemay be a process that is executing within the distributed computingenvironment. The authentication service may be executing on the samedevice as the service and/or the client, or alternatively theauthentication service may be executing on a separate device such as anauthentication server. In one embodiment, the authentication service maybe an Internet-based service. The authentication service may have itsown address, for example, a Universal Resource Identifier (URI), throughwhich the client and/or service may communicate with the authenticationservice. In one embodiment, the address of the authentication servicemay be provided to the client in the service advertisement for theservice. The client and service sharing an authentication service mayhelp insure that a secure messaging channel may be established betweenthe client and the service, as any of several security andauthentication protocols may be used in the messaging channel.

In one embodiment, a client may present a client identification token orcredential to an authentication service. The client token or credentialmay be sufficiently unforgeable to be used as proof of the client'sidentity. The authentication service may then check the clientidentification token or credential, and issue to the client anauthentication credential that only the authentication service cancreate. The authentication credential that is returned to the client isthen sent in every message by the client to the service. In oneembodiment, the client message gate is created by a gate factory, whichincludes the authentication credential in the message gate, and thus themessage gate includes the authentication credential in every messagethat it sends to the service on behalf of the client. When receiving amessage, the service may then check the authentication credential. Sinceonly the authentication service can create the authenticationcredential, the service knows that the client did not forge theauthentication credential. In one embodiment, the service may pass theauthentication credential to the same authentication service used by theclient to ensure the authentication credential is valid, to verify thatthe client is an authorized client, and to find out the identity of theclient.

All services, including space services and authentication services, mayauthenticate their clients. Once a service authenticates a client, theclient may access the service. For example, in the case of a spaceservice, a client may then obtain XML advertisements from the space.

In one embodiment, a service may have a prearranged credential that allclients of the service are to use. In this embodiment, theauthentication may provide the prearranged credential to a requestingclient. Any client presenting the prearranged credential to the servicemay be approved by the service.

In step 1000, the client may request an authentication credential fromthe authentication service. In one embodiment, the client may search forand locate a service advertisement for the desired service. In oneembodiment, the service advertisement may include an advertisement forthe authentication service to be used to obtain an authenticationcredential to be used in accessing the service. In one embodiment, theservice advertisement may include an address such as a URI for theauthentication service. In one embodiment, the client may sendinformation to the authentication service requesting the authenticationcredential. In one embodiment, the client may send information to a gatecreation process, for example, a gate factory, and the gate creationprocess may access the authentication service to obtain theauthentication credential.

In step 1002, the authentication service may generate an authenticationcredential for the client. The authentication credential may be a dataelement or data structure that may be embedded in messages in amessaging system and that may allow receivers of the messages toauthenticate the sender of the message, to verify the message is from anauthorized sender, and to verify that the message is a message thesender is allowed to send to the receiver. In one embodiment of adistributed computing environment, an authentication credential may beunique to the messaging channel set up between a particular client and aparticular service. Step 1002 is further illustrated and described inFIG. 26 b. In step 1004 of FIG. 26 a, the authentication service mayreturn the authentication credential to the client. In one embodiment,the authentication credential may be returned directly to the client. Inone embodiment, the authentication credential may be returned to a gatecreation process, for example, a gate factory, which may then use theauthentication credential in generating a gate.

FIG. 26 b—An Authentication Service Generating an AuthenticationCredential

FIG. 26 b is a flow diagram expanding on step 1002 of FIG. 26 a andillustrating an authentication service generating an authenticationcredential according to one embodiment. In step 1002 a, in oneembodiment, the authentication service may obtain a client token and aservice token. In another embodiment, the authentication service mayobtain only a client token. In one embodiment, the client token may be aunique identifier for the client in the distributed computingenvironment. In one embodiment, the service token may be a uniqueidentifier for the service in the distributed computing environment. Forexample, the public keys from a public/private key encryption mechanismmay be used as unique identifiers for the client and the service. In oneembodiment, the client may receive the service token in the serviceadvertisement, and the client may provide the client token and theservice token to the authentication service. In another embodiment, theclient may provide the client token and the service advertisement URI tothe authentication service, and the authentication service may retrievethe service token from the service advertisement.

In step 1002 b, the authentication service may verify the client and/orthe service. In one embodiment, the authentication service may use theclient token and the service token obtained in step 1002 a to verify theclient and/or service. In another embodiment, only a client token wasobtained in step 1002 a, and thus only the client token is used toverify the client in step 1002 b. In one embodiment, the client may havepreviously registered its client token with the authentication service,and the authentication service may compare the received client token tothe registered client token to verify the client as a valid client. Inone embodiment, the client may access the authentication service using achallenge/response mechanism such as a logon account with password andthus may be verified as a valid client. In one embodiment, the servicemay have previously registered with the authentication service, and mayhave provided its service token to the authentication service. Theauthentication service may then verify that the client is attempting toaccess a valid service by comparing the received service token to thepreviously registered service token. Other types of client and serviceauthentication may also be used. For example, the client may provide adigital signature or digital certificate that the authentication servicemay use to authenticate the client and/or to authenticate the servicethe client is trying to access.

In step 1002 c, the authentication service may generate anauthentication credential. In one embodiment, the authenticationcredential may generate an authentication token that only theauthentication service can create. In one embodiment, the authenticationservice may use the client token and the service token in generating theauthentication credential. In another embodiment, the authenticationservice may use just the client token to generate the authenticationcredential. In yet another embodiment, the authentication service maynot use an obtained token in the generation of the authenticationcredential, but may instead use an authentication credential generationalgorithm to generate a substantially unforgeable authenticationcredential. In one embodiment, the authentication service may combinethe service token and client token to create a unique authenticationcredential. For example, the service token and client token may be64-bit values, and the two tokens may be combined to generate a 128-bitauthentication credential. Other embodiments may use other methods togenerate an authentication credential.

Bridging Devices to the Distributed Network Environment

There may be devices, external to the distributed computing environment,which do not support the message passing model implemented by thedistributed computing environment. These devices may provide servicesthat may be useful to clients in the distributed computing environment.The distributed computing environment may include a mechanism to bridgesuch external devices to the distributed computing environment so thatthe services offered on such devices may be accessed by clients in thedistributed computing environment. The distributed computing environmentmay also leverage existing device discovery protocols for discoveringsuch external devices for use in the distributed computing environment.

Many technologies define discovery protocols for publishing andmonitoring a network's device composition. These technologies include,but are not limited to: Jini, SLP, Bluetooth, and UPnP. Furthermore,many I/O buses such as LonWorks, USB and 1394 also support dynamicdiscovery protocols. The distributed computing environment may leveragedevice discovery technologies by wrapping their implementations in anAPI. Leveraging other device discovery protocols and providing a methodto bridge to other discovery protocols may allow the distributedcomputing environment to discover devices or services on a wide varietyof network and I/O buses. Device discovery in the distributed computingenvironment may thus be applicable to a wide range of devices includingsmall devices such as PDAs, even if they do not participate directly inthe distributed computing environment. Discovery protocols may bedefined at the message level.

A bridging mechanism may be provided for “wrapping” one or more specificdevice discovery protocols, such as Bluetooth's, in a messaging API forthe distributed computing environment. Wrapping may include framing thedevice discovery protocol with code and/or data (the API) so that theprotocol can be run by clients and/or services in the distributedcomputing environment that would not otherwise be able to run it. Whenrun, the bridging mechanism may allow for a discovery agent thatdiscovers devices by a specific device discovery protocol to publishservices for those devices in a space in the distributed computingenvironment. The services present an XML message schema interface toclients in the distributed network environment, and are capable ofoperating the various devices discovered by the specific devicediscovery protocol. Thus, service advertisements may be published forthe services that operate the various devices discovered by theunderlying wrapped device discovery protocols. The advertised servicesthus bridge devices (or services) external to the distributed networkenvironment to clients on the distributed network environment.

FIG. 27 illustrates one embodiment of a distributed computingenvironment with a space 1200. One or more discovery agents 1204 mayparticipate in an external discovery protocol and bridge to thedistributed computing environment through bridging mechanism 1202. Whenthe wrapped device discovery protocols are run, discovery agents 1204through bridging mechanism 1202 may publish service advertisements 1206a–1206 c in space 1200, wherein each one of advertisements 1206 a–1206 ccorresponds to a device or service discovered by one of discoveryprotocols 1204 outside the distributed computing environment. Clientsmay then access the external devices using the service advertisements1206 a–1206 c in space 1200 to instantiate services on one of the agents1204 that operates the corresponding external device or service.

Thus, clients of the distributed computing environment may use discoveryagents wrapping device discovery protocols to find devices. A serviceacting as a bridge to these devices may be published in a space andadvertised, so clients of the distributed computing environment mayaccess the services provided by the external devices. The advertisedservice is a service within the distributed computing environment thatis able to invoke a device outside the distributed computing environmentvia another protocol or environment, thus bridging the outsidedevice/service to the distributed computing environment. A client withinthe distributed computing environment “sees” only the advertised servicewithin the distributed computing environment and may not even be awareof the outside device/service.

In one embodiment, the distributed computing environment may provide aversion of a space discovery message protocol, such as the discoveryprotocol described in the Spaces section, that may be mapped to anunderlying external device discovery protocol, including the wrappeddevice discovery protocols described above. The mapped discoveryprotocol may register itself or be registered with a space, e.g. adefault space, by placing an advertisement in that space. For eachadvertised discovery protocol, a subsequent results space to hold theresults of the discovery protocol may be provided.

FIG. 28 illustrates an example of the space discovery protocol mapped toa Bluetooth discovery service 1220 according to one embodiment. TheBluetooth discovery service 1220 may first register 1230 with thedistributed computing environment. The Bluetooth discovery service 1220may be wrapped in a bridging API, and an advertisement 1225 for thediscovery service 1220 may be added 1232 in space 1224. A client orservice may locate the discovery service advertisement 1225 on space1224. When the discovery service 1220 is executed (utilizing the APIwrapper as a bridge between the discovery protocol 1220 and thedistributed computing environment 1222), a new space 1226 may be created1234 to store the results of the discovery process. The discoveryservice 1220 may store the results (again through the API wrapper) todiscovery results space 1226 as one or more advertisements 1227.Alternatively, results of executing discovery service 1220 may be storedto space 1224 or other pre-existing spaces in the distributed computingenvironment. A similar method as illustrated in FIG. 28 may be used todiscover devices and other services using other underlying discoveryprotocols.

As mentioned above, there may be devices, external to the distributednetwork environment, which do not support the message passing modelimplemented by the distributed network environment. These devices mayhave clients that may want to use services provided in the distributedcomputing environment. The distributed computing environment may providea mechanism to bridge the external clients or client devices to thedistributed computing environment so that the clients on the externaldevices may access services in the distributed computing environment.

Agents may be provided that serve as clients in the distributedcomputing environment to bridge external clients to the distributedcomputing environment, allowing the external clients to access servicespublished in the distributed computing environment. In one embodiment,an agent may have an XML-enabled back end capable of communicating withservices in the distributed computing environment using the messagepassing model, and a proprietary protocol (e.g. a protocol supported bythe external device) on the front end to interface to the externaldevice, and thus to the external client. Thus, a client external to thedistributed computing environment may locate and access services in thedistributed computing environment through the bridging agent, and maysend requests to the services and receive responses from the services,including results data. For example, an external client may use thebridging agent to run space discovery in the distributed computingenvironment, look up advertised services, and invoke services in thedistributed computing environment.

In one embodiment, the distributed computing environment may provide abridging mechanism for accessing Jini services from a distributedcomputing environment client. Since Jini services may require RemoteMethod Invocation (RMI), and since clients in the distributed computingenvironment may communicate to services using messages such as XMLmessages, a protocol bridging mechanism may be provided to enable theaccess of a Jini Service by a distributed computing environment client.In one embodiment, a connector mechanism may be defined that enables thedynamic advertisement of Jini services in distributed computingenvironment spaces, and that also may enable the accessing of a Jiniservice proxy from clients in the distributed computing environment. Inone embodiment, there may be Jini services that may not be bridged tothe distributed computing environment.

FIG. 29 illustrates bridging a client 1250 external to the distributedcomputing environment to a space 1254 in the distributed computingenvironment. Bridging agent 1252 may serve as the go-between betweenclient 1250 and space 1254. Bridging agent 1252 may communicate withclient 1250 in a communications protocol understandable by the client1250. Bridging agent 1252 may map the client's communications protocolinto the XML messaging protocol necessary to communicate with space 1254perform the facilities provided by space 1254. Bridging agent 1252, atclient 1250's request, may locate and run services on space 1254. Forexample, client 1250 may request a list of all services of a particulartype from space 1254. Bridging agent 1252 may locate serviceadvertisements 1256 a–c and return the results to client 1250.Alternatively, the results may be posted in a results space, and thelocation of the results may be returned to the client 1250. Client 1250may then choose to execute service advertisement 1256 a, and may send amessage (in the client 1250's communications protocol) to bridging agent1252. Bridging agent 1252 may then send the XML request message(s)necessary to execute the service represented by service advertisement1256 a, and may return the results of the service to client 1250.Methods of handling the results of the service other than directlyreturning the results to the client 1250 may be used as described abovein the section titled Spaces. Bridging agent 1252 thus may act as aservice of the external client 1250 (via the external client's protocol)and as a client within the distributed computing environment to bridge aservice within the distributed computing environment to the externalclient.

Sometimes, even within the distributed computing environment, clientsand services cannot directly communicate with each other, only to acommon space. In this case, the space service will automatically createa service proxy that bridges client to service. The proxy's main job isto route messages between client and service through the space. Theservice proxy may be created dynamically. The creation mechanism may bedependent upon space implementation. Refer to FIG. 30 for anillustration of a proxy mechanism. A client 554 and a service 556 maynot be able to communicate directly within the distributed computingenvironment, e.g., because they support different transport or networkprotocols. However, they both may be able to communicate with a space552 that supports both protocols. The space service may create a proxy550 to bridge the client 554 to the service 556. A common form of proxyis a browser proxy. A browser proxy (most commonly implemented as aservlet) may translate conventional Web page requests into messages.Refer also to the description of space search services (and proxiestherefore) in the Spaces section herein.

In the computer industry, an enterprise may be a corporation, smallbusiness, non-profit institution, government entity, or other kinds oforganization. An enterprise may utilize a enterprise computingenvironment for conducting a portion of its business. The enterprisecomputing environment may include various enterprise services. Clientsin the distributed computing environment may desire to use services inthe enterprise computing environment.

The distributed computing environment may provide a mechanism forbridging clients in the distributed computing environment to enterpriseservices. In one embodiment of a distributed computing environment, amethod for bridging clients to enterprise services may include a clientwithin the distributed computing environment, a bridge service withinthe distributed computing environment, and an enterprise service withinthe enterprise environment. The distributed computing environment bridgeservice serves as a bridge service between the client and the enterpriseservice.

The bridge service interacts with the client via XML message passing togather input parameters necessary to make requests to the enterpriseservice outside of the distributed network environment. For example, thebridge service may be looked up and instantiated by the client just asany other service in the distributed computing environment. The bridgeservice then may interact with the enterprise service to run theenterprise service. This interaction may use an interprocesscommunications architecture that the enterprise service can understand.As an example, if an enterprise service is implemented with EnterpriseJavaBeans (EJB), a bridge service may communicate with the enterpriseservice using EJB. The bridge service may then receive results from theenterprise service and may return the results directly to the client (inXML messages) or may place the results in a space in the distributednetwork environment (e.g. a results space). To the client, the bridgeservice appears to be the only service (the enterprise service is hiddento the client), so the client does not have to support the architectureof the enterprise service. Multiple distributed network environmentclients may use the same bridge service (each using a unique gate pair)to interact with the enterprise service.

Client Displays

There are several methods in which results from a service run by aclient may be displayed in a distributed computing environment. Devicesthat may display results may include, but are not limited to: CRTs oncomputers; LCDs on laptops, notebooks displays, etc; printers; speakers;and any other device capable of displaying results of the service invisual, audio, or other perceptible format. The methods for displayingresults may include, but are not limited to:

-   -   The service may return results to a client directly or by        reference, and the client may handle the display of the results.    -   The service may return results to a client directly or by        reference, and the client may pass the results to a display        service directly or by reference, and the display service may        display the results.    -   The service may directly handle the displaying of the results.    -   The service may pass the results to a display service directly        or by reference, and the display service may display the        results.

In the last method of displaying results, the display service may bespecified by the client. For example, there may be a display service onor associated with the device on which the client resides that theclient wishes to use to display the results of the service. When theclient runs the service, the client may send a message to the servicespecifying the service advertisement of the client's display service.The service may then build a gate that allows it to send messages to theclient's display service. Thus, when displaying results, the serviceinvoked by the client becomes a client of the client's display serviceand send its results (directly or by reference) for display to thatdisplay service. More detail on the client-service relationship, gates,and messaging is included in other sections of this document.

FIG. 31 illustrates one embodiment of a client 1300 with associateddisplay 1302 and display service 1304 according to one embodiment.

Conventional application models are typically based on predetermined,largely static user interface and/or data characteristics. Changes toconventional applications may require code modification andrecompilation. The mechanisms described for advertising services and forspecifying XML message schemas for communicating with services in thedistributed computing environment may be used to provide a mechanism forapplications (clients, services, etc) to describe dynamic displayobjects. Using the dynamic display objects, application behavior may bealtered without having to download new code, recompile, or relink theapplication.

FIGS. 32A and 32B illustrate examples of using schemas of dynamicdisplay objects according to one embodiment.

Display schemas may be provided for displaying the same results indifferent formats, for extracting portions of the results for display,and for displaying the results on different display devices.

String Management

String handling in conventional systems is generally not very efficient,especially for variable sized strings, and may be wasteful of memoryspace, e.g. as the string is copied and/or moved in memory. Thisinefficiency in string handling may be particularly problematic in smallmemory footprint systems such as embedded systems. Thus, a moreefficient method of handling strings in programs executing within smallfootprint systems such as embedded systems is desirable.

FIG. 33A illustrates a typical string representation in the Cprogramming language.

FIG. 33B illustrates an example of the results of the strncpy( )function on string 1452, when strncpy( ) is called with the followingparameters:

-   -   strncpy(string2, string1+3, 5);        where string2 is character pointer 1454 pointing to the first        byte after the terminating character of string 1452, string1+3        is character pointer 1450 incremented by 3 bytes, and 5 is the        number of characters (bytes) to be copied from the source        location string1+3 to string2.

FIG. 33C illustrates an efficient method for representing and managingstrings in general, and in small footprint systems such as embeddedsystems in particular.

The string handling structures and methods as described in FIG. 33C maybe used, along with the hierarchical structure of XML documents, toprovide more efficient handling of XML text (such as XML messages) insystems with small memory footprints such as embedded systems.

The hierarchical structure of XML documents may allow them to beprocessed in a recursive fashion with successively smaller portions ofthe document processed at each level of recursion. References to variousportions are recorded and processed recursively. String structures asdescribed in regard to FIG. 33C may be used to record the variousportions. In this manner, the content of specific XML tags, in oneembodiment the smallest unit of the XML document processed recursively,may be determined efficiently. Documents with repeated tags in the samescope may also be handled efficiently, as tags within a given scope maybe enumerated and processed efficiently.

Using the string structures with the recursive processing allows theprocessing to be done without creating copies of the subsections forprocessing. Copying of subsections may be particularly costly inrecursive processing, because as the recursion goes deeper, more andmore copies of the same data are made. Using the string structures, onlythe string structure containing the pointers to the first and last bytesin the subsection needs to be created and passed down to the next level.Other operations, such as determining the length of a subsection, may beperformed efficiently using the address information stored in the stringstructures. Also, by using the string structures, terminating characterssuch as those used to terminate C strings are not necessary, conservingmemory in small footprint devices such as embedded devices.

XML Representation of Objects

As previously mentioned, Jini RMI may not be practical for some clients,such as thin clients with minimal memory footprints and minimalbandwidth. The serialization associated with the Jini RMI is slow, big,requires the JVM reflection API, and is a Java specific objectrepresentation. Java deserialization is also slow, big and requires aserialized-object parser. Even Java based thin clients may not be ableto accept huge Java objects (along with needed classes) being returned(necessarily) across the network to the client, as required in Jini.

A more scalable distributed computing mechanism may be provided byembodiments of a distributed computing environment. A distributedcomputing environment may include an API layer for facilitatingdistributed computing. The API layer provides send message and receivemessage capabilities between clients and services. This messaging APImay provide an interface for simple messages in a representation data ormeta-data format, such as in the eXtensible Mark-up Language (XML). Notethat while embodiments are described herein employing XML, othermeta-data type languages or formats may be used in alternateembodiments. In some embodiments, the API layer may also provide aninterface for messages to communicate between objects or to passobjects, such as Java objects. Objects accessible through API layer 102are represented by a representation data format, such as XML. Thus, anXML representation of an object may be manipulated, as opposed to theobject itself.

The API layer may sit on top of a messaging layer. The messaging layermay be based on a representation data format, such as XML. In oneembodiment, XML messages are generated by the messaging layer accordingto calls to the API layer. The messaging layer may provide definedstatic messages that may be sent between clients and services. Messaginglayer may also provide for dynamically generated messages. In oneembodiment, an object, such as a Java object, may be dynamicallyconverted (compiled) into an XML representation. The object may includecode and/or data portions. The object's code and/or data portions may becompiled into code and data segments identified by XML tags in the XMLrepresentation. The messaging layer may then send the XML objectrepresentation as a message. Conversely, the messaging layer may receivean XML representation of an object. The object may then be reconstituted(decompiled) from that message. The reconstitution may examine the XMLrepresentation for tags identifying code and/or data segments of the XMLrepresentation, and use information stored in the tags to identify anddecompile the code and/or data portions of the object.

Creating and Sending an XML Representation of an Object

FIG. 34 illustrates a process of moving Java objects between a client1500 and a service 1502 according to one embodiment of the invention.Service 1502 may be any service supported in the distributed computingenvironment, including space services. Client 1500 employs a gate 1504,which may have been created using an XML schema received from a serviceadvertisement for service 1502, to communicate with a corresponding gate1506 for service 1502. At some point, client 1500 may need to send Javaobject 1510 to service 1502. Java object 1510 may reference otherobjects, which may reference other objects, and so on. Java object 1510and its referenced objects, the objects they reference, and so on, maybe referred to as an object graph.

Java object 1510 may be passed to a Java object compilation process 1512to be compiled to produce an XML representation of the object graph. TheXML representation of the object graph may be passed as an XML datastream 1514 to gate 1504. The XML data stream 1514 may include an XMLrepresentation of all the objects in the object graph. In oneembodiment, the objects in the object graph may be stored recursively inthe XML data stream 1514.

Gate 1504 may then package the XML data stream 1514 in a message 1516and send the message 1516 to gate 1506 of service 1502. Gate 1506 mayextract the XML data stream 1514 from XML message 1516 and send the XMLdata stream 1514 to an XML data stream decompilation process 1518 to bedecompiled to produce the object(s) comprising the object graph,including Java object 1510. In one embodiment, the objects in the objectgraph may be stored recursively in the XML data stream 1514, and thus arecursive decompilation process may be used.

When service 1502 needs to send a Java object to client 1500, asubstantially similar process may be used. Java object 1520 may bepassed to a Java object compilation process 1512 to be compiled toproduce an XML representation of the object graph. The XMLrepresentation of the object graph may be passed as an XML data stream1522 to gate 1506. Gate 1506 may then package the XML data stream 1522in a message 1524 and send the message 1524 to gate 1504 of client 1500.Gate 1504 may extract the XML data stream 1522 from XML message 1524 andsend the XML data stream 1522 to an XML data stream decompilationprocess 1518 to be decompiled to produce the object(s) comprising theobject graph, including Java object 1520.

In another embodiment, the gates may be responsible for the compilationand decompilation of Java objects. In this embodiment, Java object 1510may be passed to gate 1504. Gate 1504 may then pass object 1510 to aJava object compilation process 1512 to be compiled to produce an XMLrepresentation of the object graph in an XML data stream 1514. Gate 1504may then package the XML data stream 1514 in a message 1516 and send themessage 1516 to gate 1506 of service 1502. Gate 1506 may extract the XMLdata stream 1514 from XML message 1516 and send the XML data stream 1514to an XML data stream decompilation process 1518 to be decompiled toproduce the object(s) comprising the object graph, including Java object1510. Sending a Java object from service 1502 to client 1500 may besubstantially similar.

In one embodiment, object compilation process 1512 and objectdecompilation process 1518 may both exist on the client 1500 and theservice 1502, and may be programmed to perform compilation anddecompilation substantially similarly on the two devices, thus ensuringthe object(s) output on one end are substantially identical to theobject(s) input on the other end. In one embodiment, XML schemasincluding descriptions of Java objects may be used on both the clientand/or the service in the compilation and decompilation processes. Inone embodiment, XML schema(s) to be used in the compilation anddecompilation of Java objects may be passed by the service to the clientin the service advertisement.

XML provides a language- and platform-independent object representationformat. Thus, the process as illustrated in FIG. 34 where an object iscompiled into an XML representation of the object and decompiled toreproduce the object may not be limited to moving Java objects, but insome embodiments may be applied to moving objects of other types betweenentities in a network.

JVM Compilation/Decompilation API

FIGS. 35 a and 35 b are data flow diagrams illustrating embodimentswhere a virtual machine (e.g. JVM) includes extensions for compilingobjects (e.g. Java Objects) into XML representations of the objects, andfor decompiling XML representations of (Java) objects into (Java)objects. The JVM may supply an Applications Programming Interface (API)to the compilation/decompilation extensions. The client 1500 and service1502 may be executing within JVMs. The JVMs may be on the same device oron different devices.

In both FIG. 35 a and FIG. 35 b, the JVM XML compiler/decompiler API1530 may accept a Java object 1510 as input, and output an XMLrepresentation of the object 1510 and all its referenced objects (theobject graph of object 1510) in an XML data stream 1514. In addition,the JVM XML compiler/decompiler API 1530 may accept an XML data stream1522, which includes an XML representation of object 1520 and all itsreferenced objects (the object graph of object 1520), and output Javaobject 1520 (and all the objects in its object graph).

FIG. 35 a illustrates one embodiment where, when sending Java object1510, the JVM XML compiler/decompiler API 1530 is called by the client.The client 1510 passes Java object 1510 to the API 1530, which compilesthe object to produce its XML representation, stores the XMLrepresentation in XML data stream 1514, and outputs XML data stream1514. XML data stream 1514 may then be passed to gate 1504 by theclient. Gate 1504 may then package the XML data stream 1514 in an XMLmessage 1516 and send message 1516 to service 1502.

Upon receiving XML message 1524 from service 1502, gate 1522 may extractXML data stream 1522 from message 1524 and pass data stream 1522 toclient 1500. Client 1500 may then call the JVM XML compiler/decompilerAPI 1530, passing API 1530 the XML data stream 1522. The API 1530 maythen decompile the XML data stream 1522 to produce Java object 1520 andother objects in its object graph, returning the objects to client 1500.

FIG. 35 b illustrates another embodiment where, when sending Java object1510, the JVM XML compiler/decompiler API 1530 is called by the gate.The client 1510 passes Java object 1510 to gate 1504. Gate 1504 thenpasses object 1510 to API 1530, which compiles the object to produce itsXML representation, stores the XML representation in XML data stream1514, and outputs XML data stream 1514. Gate 1504 may then package theXML data stream 1514 in an XML message 1516 and send message 1516 toservice 1502.

Upon receiving XML message 1524 from service 1502, gate 1522 may extractXML data stream 1522 from message 1524 and pass data stream 1522 to theJVM XML compiler/decompiler API 1530. The API 1530 may then decompilethe XML data stream 1522 to produce Java object 1520 and other objectsin its object graph. The gate may then send Java object 1520 and theother objects to client 1500.

In one embodiment, the JVM XML compiler and decompiler may beimplemented as integrated functions of the JVM. In another embodiment,the XML compiler and decompiler may be embodied in API methodinvocations in standard extensions to the JVM; thus, the core JVM doesnot have to be modified. The JVM may supply the JVM XMLcompiler/decompiler API 1530 to processes (clients and/or services)executing within the JVM to allow the processes to access the Javaobject compilation/decompilation functionality provided by the JVM. Inone embodiment, for a process to utilize the objectcompilation/decompilation, the JVM within which the process is executingmust have the JVM XML compiler/decompiler functionality and API 1530.

Methods using reflection and serialization to transform and send objectsare typically implemented in applications separate from the JVM. Theapplication must repeatedly access the JVM to pick apart an object onefield at a time as the transitive closure of the object is dynamicallyanalyzed. This tends to be a slow and cumbersome process, while alsorequiring large amounts of application and JVM code.

Implementing the Java object compilation/decompilation functionalitywithin the JVM is advantageous because the JVM already understands theconcept of, and contents of, an object graph. Thus, thecompilation/decompilation functions may leverage the knowledge (andreuse code) of the JVM in parsing the object graph to produce the XMLrepresentation, and in parsing the XML representation to produce theobject graph. Thus, the compilation/decompilation functions may not haveto duplicate functionality that is provided by the JVM, as do objectsending methods using reflection and serialization. This may allow thecode footprint of the compilation/decompilation functions to be smallerthan that of object sending methods using reflection and serialization.Also, an object may be complied or decompiled by a single call to theJVM XML compiler/decompiler API.

In addition, integrating the compilation/decompilation of objects withthe JVM may allow the compilation and decompilation of objects to beperformed faster than methods using reflection and serializationbecause, in the object traversal model implemented with reflection andserialization, the code outside the JVM does not know the structure orgraph of the Java object, and thus must traverse the object graph,pulling it apart, and ultimately must repeatedly call upon the JVM to dothe compilation (and the reverse process for decompilation). Thisprocess may be slowed by the necessity of making repeated calls to theJVM, outside the code. Having the compilation and decompilationfunctionality integrated with the JVM, as described herein, avoidshaving to make repeated calls from code outside the JVM to the JVM. Inone embodiment, an object may be complied or decompiled by a single callto the JVM XML compiler/decompiler API.

In one embodiment, the compilation/decompilation functionality may beimplemented as a service in the distributed computing environment. Theservice may publish a service advertisement in a space. A process in thedistributed computing environment may use a search or discovery serviceto locate the compilation/decompilation service. The process (a clientof the service) may then use the service by passing Java objects to becompiled into XML representations and/or XML representations to bedecompiled into Java objects to the service.

Java objects may include code (the object's methods) and data. Anobject's code may be non-transient; the code does not change once theobject is created. An object's data, however, may be transient. Twoobjects created from the same Java class may include identical code, butthe data in the two objects may be different. In one embodiment, thecompilation function may compile a Java object's data into an XMLrepresentation of the object, but may not include the object's actualcode in the XML representation. In one embodiment, information about theobject may be included in the compiled XML representation to indicate tothe receiver how to recreate the code for the object. The XMLrepresentation may then be stored in an XML data stream and sent (e.g.,in a message) to a receiving process (client or service). The receivingprocess may then pass the XML data stream to the decompilation function.The decompilation function may then decompile the XML data stream toproduce the Java object including its data. In one embodiment, the codefor the object may be reproduced by the decompilation function usinginformation about the object in the XML representation, as the code foran object may be statically defined and the JVM receiving the object maybe able to reproduce the code (if necessary) using its knowledge of theobject.

In one embodiment, the XML representation of the object produced by thecompilation function may include the Java object's data and informationabout the Java object. The information may include class information forthe Java object. An object signature may be included in the informationand may be used to identify the object's class, etc. The decompilationfunction may recreate the code for the Java object using the informationabout the Java object and may decompile the data from the XML datastream into the Java object. Thus, a complete object including its codeand data may be reproduced on the JVM executing the receiving client orservice from the decompiled data and the information describing theobject. In one embodiment, the information describing the object may bestored in one or more XML tags. In one embodiment, the client or servicereceiving the XML data stream may include an XML schema that describesthe object, and the XML schema may be used to reconstruct the Javaobject from the decompiled data and from the information about the Javaobject. The decompilation process may proceed recursively through theobject graph, reconstructing the objects referenced by the object bydecompiling the referenced objects' data from the XML data stream andrecreating the referenced objects' code from information about thereferenced objects in the XML data stream.

In one embodiment, the XML representation of the object produced by thecompilation function may include the object's data and information thatidentifies the code of an object. In one embodiment, the informationidentifying the code of the object may be stored in one or more XML tagsin the XML data stream. When received, the decompilation function mayrecreate the code for the Java object using the information about thecode from the XML data stream and decompile the data for the object fromthe XML data stream. Thus, a complete object including its code and datamay be reproduced on the JVM executing the receiving client or servicefrom the decompiled data and the information describing the code of theobject.

Several scenarios of using XML representations of objects to transferobjects between entities (typically clients and services) in adistributed computing environment are included for clarification. Thesescenarios are exemplary and are not intended to be limiting.

In a first scenario, a service may use the XML compiler/decompiler tocompile a Java object into an XML representation of the object and sendthe XML representation to a client. The client may the use the XMLcompiler/decompiler to decompile the XML representation and performoperations on the data within the object, and later may use the XMLcompiler/decompiler to compile the object into an XML representation ofthe object and return the XML representation of the object to theservice.

In a second scenario, a service may use the XML compiler/decompiler tocompile a Java object into an XML representation of the object and sendthe XML representation to a client. The client may then send the XMLrepresentation to another service, which may use the XMLcompiler/decompiler to decompile the XML representation to reproduce theobject, perform operations on the object at the request of the client(possibly modifying the data), use the XML compiler/decompiler torecompile the modified object into its XML representation, and send theXML representation of the object to the client.

In a third scenario, a service may use the XML compiler/decompiler tocompile a Java object into an XML representation of the object and sendthe XML representation to an object repository or store space. Theservice may then send a message to a client informing the client of thelocation of the XML representation. The message may include a UniversalResource Identifier (URI) for the XML representation. The client maythen retrieve the XML representation of the object from the store space,and may use the XML compiler/decompiler to decompile the representationto reproduce the object. Alternatively, the client may send the locationof the XML representation of the object to another service, along with arequest for operations to be performed on the object. The other servicemay then retrieve the XML representation from the store space, use theXML compiler/decompiler to decompile the XML representation to reproducethe object, and perform the requested operations on the object.

In a fourth scenario, a process (could be a client or service) maylocate an object repository or store space in the distributed computingenvironment by searching for and finding a service advertisement for thestore space. The process may, during execution, create or obtain aplurality of Java objects. The process may use the XMLcompiler/decompiler to compile one or more of the objects into XMLrepresentations of the objects, and may send, as a client of the storespace service, the XML representations of the objects to the store spaceto be stored for possible later access, or for access by otherprocesses.

Security Issues in the Decompilation of XML Representations of Objects

Spaces, as described herein, may serve as a file system in thedistributed computing environment. Security may be provided for files inthe system in the form of access rights. Access rights may be checkedeach time a file is accessed (opened, read, or written to). Thus, amethod for providing file access security in the distributed computingenvironment may be desirable. This method may also be applied to the XMLrepresentations of Java objects that may be stored in spaces andtransmitted between clients and services in the distributed computingenvironment.

In one embodiment, a user of a client on a device in the distributedcomputing environment may be identified and authenticated when firstaccessing the client. In one embodiment, the user may supply a physicalidentification such as a smart card for identification andauthorization. In another embodiment, a challenge-response mechanism(such as user ID and password) may be used for identification andauthorization. Yet another embodiment may use electronic identificationsuch as a digital signature for identification and authorization. Anyother method of identification and authorization may be used.

Once identified and authorized, the user may then perform variousoperations on the client, including accessing one or more services inthe distributed computing environment. During these operations, asdescribed above, one or more objects may be created or acquiredelsewhere. The objects may be modified and may be compiled into XMLrepresentations of the objects and stored locally by the client or sentto a space service for (transitive or persistent) store. Some of theobjects may be received from services (store services or other services)in the form of XML representations of the objects, which may bedecompiled by the XML compiler/decompiler to recreate the objects on theclient.

In one embodiment, during the decompilation of the XML representation ofobjects, each XML message may be checked to verify that the user hasaccess rights to the object. If the user does not have the proper accessrights, the XML compiler/decompiler may not decompile the object for theuser. In one embodiment, a security exception may be thrown by the XMLcompiler/decompiler. In one embodiment, the user may be informed of theaccess violation.

Access right information, such as the creator and access levels allowed(creator-only access, read only, read/write, delete, copy, etc.) for theobject may be embedded in the XML message(s) containing the XMLrepresentation of the object. Access authorization may be determinedduring the identification and authorization of the user. For example,the object may allow “read only” access for most users, and “read/write”access for the creator of the object. If the user tries to access anobject using read/write access rights, and the object was not created bythe user, the decompilation process may detect this as an accessviolation, and may disallow the access and notify the user.

In one embodiment, when the user is done using the client, the user maylog off or otherwise signal the user is finished with the client (e.g.remove a smart card). Objects created on the client by decompilation maybe automatically deleted when the client detects that the user isfinished. This may prohibit future users from intentionally oraccidentally accessing the user's objects. In one embodiment, allobjects created by decompilation may be deleted upon detecting that theuser is finished. In another embodiment, a method may be provided tostore at least some of the objects created on the client persistently(e.g. with access rights information), so that the client may lateraccess the objects, or provide the objects to other users for access.

In one embodiment, the user may have a “smart card” or other physicaldevice to gain access to the client. The user may insert the smart cardinto the client device to begin the session. When the client isfinished, the client may remove the smart card. The client may detectthe removal of the smart card, and thus detect that the client isfinished, and may then proceed to delete objects created bydecompilation of XML representations.

XML-Based Object Repositories

In the distributed computing environment, processes (services and/orclients) may desire transient and/or persistent storage of objects suchas XML schemas, service advertisements, results generated by services,XML representations of Java objects and/or objects implemented in otherlanguages, etc. Existing object storage technologies tend to be languageand/or operating system specific. These storage systems also tend to betoo complicated to be used with small footprint systems such as embeddedsystems.

JavaSpaces in Jini is an existing object repository mechanism. AJavaSpace may be only capable of storing Java objects and may be toolarge to be implemented in small devices with limited amounts of memory.Each object in a JavaSpace may be serialized as previously described,and thus has the same limitations as previously described for thereflection and serialization techniques.

A store mechanism may be provided for the distributed computingenvironment that may be heterogeneous (not language or operating systemdependent), that may scale from small to large devices, and that mayprovide transient or persistent storage of objects. In one embodiment,the store mechanism in the distributed computing environment may beimplemented as an Internet Web page or set of pages defined in the XMLmarkup language. XML provides a language- and platform-independentobject representation format enabling Java and non-Java software tostore and retrieve language-independent objects. Since the storemechanism is on the Web, devices of all types and sizes (small to large)may access the store mechanisms. Web browsers may be used to view thestore mechanism implemented as Web pages. Web search engines may be usedto search for contents in the store mechanism implemented as Web pages.Internet administration mechanisms (existing and future) and XML toolsmay be used to administer the XML-based store mechanisms.

In one embodiment, the store mechanisms may be used to store objectscreated, represented or encapsulated in XML. Examples of objects thatmay be stored in the store mechanisms may include, but are not limitedto: XML schemas, XML representations of objects (for example, Javaobjects compiled into XML representations as described above), serviceadvertisements, and service results (data) encapsulated in XML. In oneembodiment, to prevent unauthorized access of an XML object, anauthorization credential such as a digital signature or certificate maybe included with the XML object, and a client wishing to access the XMLobject may be required to have the proper authorization credential toaccess the XML object. In one embodiment, the store mechanism may be aspace as described in the Spaces section herein.

Store mechanisms may be services in the distributed computingenvironment. A store mechanism implemented as a service may be referredto as a “store service”. A store service may publish an advertisement ina space. The space itself is an example of a store service. Some storeservices may be transient. For example, a space service that storesservice advertisements may be a transient store. Other store servicesmay be persistent. For example, a store service that stores results fromservices may be a persistent store.

FIG. 36 illustrates a client 1604 and a service A 1606 accessing storemechanisms 1600 and 1602 in the distributed computing environmentaccording to one embodiment. This illustration is intended to beexemplary and is not intended to be limiting to the scope of thisinvention. In one embodiment, store mechanisms 1600 and 1602 may each bean Internet Web page or set of Web pages defined in XML and accessibleby a Web browser and other Internet tools. Store mechanism 1600 is atransient store capable of storing objects implemented using XML. Storemechanism 1602 is a persistent store also capable of storing objectsimplemented using XML. Service A 1606 may publish an XML serviceadvertisement 1608 in transient store 1600. Persistent store may alsopublish an XML service advertisement in transient store 1600 (or onanother transient store in the distributed computing environment). Atsome point, client 1604 may require functionality provided by Service A1606. Client 1604 may use a discovery and/or lookup service to locateservice advertisement 1608. Client 1604 may then construct a messagegate, as described herein, and begin communications with Service A 1606.Client 1604 may send one or more XML request messages to Service A 1606.Service A 1606 may perform one or more functions in response to the oneor more request messages. One or more of the functions performed byService A 1606 may produce results to be provided to client 1604.

For transient results 1610, Service A 1606 may encapsulate the resultsin an XML advertisement 1612 and publish the advertisement 1612 intransient store 1600 (or on another transient store in the distributedcomputing environment). Service A 1606 may then notify client 1604 thatthe results 1610 are stored in advertisement 1612 on transient store1600, or client 1604 may be notified by other mechanisms as describedherein. Client 1604 may then retrieve transient results 1610 fromadvertisement 1612. The advertisement 1612 may include an XML schemadescribing the formatting, contents, type, etc. of the transient results1610. The results may be encapsulated in XML. For example, XML tags maybe used to describe portions of the data:

-   -   <XML tag1><data1>    -   <XML tag2><data2>

For persistent results 1618, Service A 1606 may use a service or othermechanism as described herein to locate XML service advertisement 1616for persistent store 1602, and thus locate persistent store 1602 forstoring persistent results. Alternatively, client 1604 may havepreviously located persistent store 1602 by locating its serviceadvertisement 1616, and then may send a Universal Resource Identifier(URI) for a storage location for persistent results 1618 to Service A inan XML message. In one embodiment, persistent results 1618 may be storedin an Internet Web page or set of Web pages defined in XML andaccessible by a Web browser. Service A 1606 may then store persistentresults 1618 in persistent store 1602. Service A 1606 may then publishan XML advertisement 1616 for the persistent results 1618 in transientstore 1600 (or on another transient store in the distributed computingenvironment) and return the location of the advertisement 1616 to client1604. The advertisement 1616 may include an XML schema describing theformatting, contents, type, etc. of the persistent results 1618. Theresults may be encapsulated in XML as previously described. Theadvertisement may also include the URI of the persistent results 1618.The client 1604 may then retrieve the advertisement 1616 and use it tolocate and retrieve persistent results 1618. Alternatively, Service A1606 may not publish an advertisement for persistent results 1618, butinstead may return a URI for the persistent results 1618 to client 1604so client 1604 may access the results without looking up anadvertisement. Note in some embodiments, the various advertisementsshown in transient store 1600 may each be stored in different transientstores or spaces.

Thus, store mechanisms may be implemented as XML-based Internet Webpages in the distributed computing environment. These store mechanismsmay be implemented on a variety of devices in the environment, and mayprovide service advertisements to allow clients (which may be otherservices) to locate and use the store mechanisms. Existing and futureWeb and XML tools may be used to manage the store mechanisms. The storemechanisms may store objects of various types implemented orencapsulated in XML. Clients on devices of substantially any size, fromsmall footprint devices to supercomputers, may access the storemechanisms to store and retrieve the various objects on the Internet.The clients may be Java or non-Java applications, as XML provides alanguage-independent storage format. The transient or persistent objectrepositories may provide for a file system in the distributed computingenvironment and may include access checks and other security mechanismas described herein.

Dynamically Converting an XML Document into a Java Object

In one embodiment, the distributed computing environment may provide amechanism to convert and represent an object class instance into an XMLdocument. In order to send representation of a class instance to anotherservice, the object may be converted and represented as a XML document.In one embodiment, when receiving an XML document, a program mayinstantiate a class instance corresponding to the object represented bythe document. In one embodiment, the objects may be Java objects, andthe program may be a Java program.

XML-Based Process Migration

The distributed computing environment may enable the distribution andmanagement of distributed applications. For example, the distributedcomputing environment may include mobile clients that are dockable withstations that provide monitors, printers, keyboards, and various otherinput/output devices that are typically not provided on mobile devicessuch as PDAs, cell phones, etc. These mobile clients may run one or moreapplications, and may migrate from one station to another in thedistributed computing environment. Thus, one embodiment of thedistributed computing environment may provide a method for migrating anexecuting application (process) with its entire current state from amobile client on one node to the same mobile client or another mobileclient at another node within the distributed computing environment.

FIG. 37 illustrates process migration using an XML representation of thestate of a process according to one embodiment. Process A 1636 a may beexecuting on node 1630. Process A 1636 a may be a client or service. Atsome point during the execution of Process A 1636 a, the state ofexecution of Process A 1636 a may be captured and stored in anXML-encapsulated state of Process A 1638. The execution of Process A1636 a on node 1630 may then be stopped. Later, node 1632 may locate theXML-encapsulated state of Process A 1638 and use it to resume Process A1636 b on the node 1632. Resuming Process A may include using the storedstate 1638 to resume thread execution, recalculate transient variables,re-establish leased resources, and perform any other functions necessaryto resume execution as recorded in the stored XML state of the process1638.

Applications

Technologies exist that allow a user to access network data from remotelocations, making the remote data appear as local data to the user,provided the user has access to a browser. However, such technologies donot provide an automatic infrastructure to query networks near a clientdevice's location. A mechanism for discovering information aboutnetworks and services near a client device may be desirable. Forexample, such a mechanism may be used to locate information aboutrestaurants, weather, maps, traffic, movie information, etc within acertain distance (radius) of the client device, and to display desiredinformation on the client device. An example of using this mechanism maybe a cell phone that can be used to automatically locate services in alocal environment, for example, in a movie theater to display the titlesand show times of current features in the movie theater or in arestaurant to view menu selections and prices. In the distributedcomputing environment as described herein, such a mechanism may be usedto discover spaces including local information and/or services proximateto the client device. The mechanism may also be applied in otherdistributed computing environments, for example, the Jini system fromSun Microsystems, Inc.

In one embodiment, a mobile client device may include Global PositioningSystem (GPS) capability and wireless connection technology. Localdistributed computing networks may be provided. For example, a city mayprovide a citywide distributed computing environment. Another examplemay be a shopping mall with a local distributed computing environment. Alocal distributed computing network may include a discovery mechanism toallow client devices to connect to the distributed computing environmentand to discover services and data in the local environment. For example,one or more devices in the environment may include wireless connectiontechnology to allow mobile client devices to connect to the network andto access the discovery mechanism via the XML messaging system asdescribed previously. A local distributed computing environment mayinclude one or more spaces with advertisements for services and/or datato be made available to mobile clients. For example, a citywidedistributed computing environment may include spaces that represententities such as malls, movie theaters, local news, local weather,traffic, etc. A space may include individual service and/or dataadvertisements for accessing services of and information about theentity the space represents. The discovery mechanism may include a GPSlocation or locations of the local distributed computing environment,entities represented by space services within the environment, and/orthe various services advertised in the spaces in the environment.

In one embodiment, wired connections may be provided to a localdistributed computing network. In this environment, a user with a mobileclient device may “plug in” directly to the network using a wiredconnection “docking station”. Examples of wired connections include, butare not limited to: Universal Serial Bus (USB), FireWire, andtwisted-pair Internet. In one embodiment, a docking station may alsoprovide input/output capabilities such as a keyboard, mouse, and displayfor the mobile client device. In this embodiment, the location of themobile client device may be provided to the lookup or discoverymechanism by the docking station.

In one embodiment, a mobile client device may connect to a distributedcomputing network. As the user of the mobile client device navigateswithin wireless communications range of the distributed computingnetwork, the mobile client device may constantly, or at variousintervals, provide a location vector as input to the local lookup ordiscovery mechanism. The mobile client device may obtain the locationvector from a GPS system built into or associated with the mobileclient. In one embodiment, the client may send its location information(e.g. via XML messaging) to a local service discovery mechanism, such asone of the space location mechanisms described herein. For example, theclient may run the space discovery protocol specifying discovery forspaces offering services within a certain range of the clients location,or the client may instantiate a space search service to search forspaces advertising services provided for the client's vicinity.

As the mobile client device moves into a specified range of a spacewithin the distributed computing environment, the services and/or datastored in the space may be made available to the mobile client device.In embodiments where the client device regularly provides its locationto a discovery mechanism, local services and/or data may automaticallybe made available to the client's user. In one embodiment, the specifiedrange of a space may be determined by the user of the mobile clientdevice. For example, the user may choose to display all restaurantswithin one mile of a current location. Alternatively, the range may bespecified in the configuration of the local distributed computingnetwork. For example, a citywide distributed computing network may beconfigured to provide its services to all users within three miles ofthe city limits. In one embodiment, visual indicators, for exampleicons, representing the various services and/or data offered by thespace may be displayed on the mobile client device. The client may thenaccess one or more of the displayed services and/or data. In oneembodiment, information from two or more spaces may be displayedsimultaneously on the mobile client device. In one embodiment, the usermay select what services and/or data are to be detected. For example, ina shopping mall, a user with a mobile client device may choose todisplay all shoe stores in the mall.

In one embodiment, executable code and/or data used in the execution ofthe code may be downloaded to the mobile client device to allow the userto execute an application provided by a service in the space. Forexample, moviegoers with mobile client devices may download interactivemovie reviews from services in a space for the movie theater, and maythus perform real-time feedback about the movie they are watching. Inone embodiment, an XML object compilation/decompilation mechanism, e.g.as described elsewhere herein, may be used to compile the code and/ordata to produce XML representations of the code and/or data, and todecompile the XML representations to reproduce the code and/or data onthe mobile client device. In one embodiment, an executable version of aprocess may previously exist on the mobile client device, and a storedstate of the process may be downloaded to the mobile client device toallow the user to execute the process using the stored state. In oneembodiment, an executable version of a process may previously exist onthe mobile client device, and data for the process may be downloaded tothe mobile client device. For example, data may be downloaded forviewing with a viewer program on the mobile client device. In oneembodiment, an executable version of a process, including the code anddata for executing the process, may be downloaded for execution on themobile client device. In one embodiment, the service may execute theapplication remotely on behalf of the mobile client device, and theservice and client may pass to each other XML messages including dataand optionally XML schemas describing the data. In one embodiment, somecode may be executed on the service and some on the client. For example,the service may execute code to perform operations on a set of data suchas numerical calculations. The mobile client device may execute codethat may display portions of the data passed to the client from theservice in XML messages and allow the user of the mobile client deviceto enter and/or select data and send the data to the service forperforming one or more operations on the data.

In one embodiment, a mobile client device may be connected to two ormore services in the distributed computing network simultaneously. Theservices may be used independently or in conjunction for performing aseries of tasks. For example, one service may be used by a remote clientdevice to locate and/or perform operations on a set of data, and asecond service may be used to print the set of data.

FIG. 38 illustrates a mobile client device accessing spaces in a localdistributed computing network, according to one embodiment. A user ofGPS-enabled mobile computing device 1700 may move into proximity of alocal distributed computing environment. The mobile client device 1700may provide its location provided by GPS 1702 to one or more discoverymechanisms 1706 in the local distributed computing network. Thediscovery mechanism 1706 may use the provided GPS location of the mobileclient device and predetermined locations of spaces within theenvironment to determine when the user moves within a specified range ofone or more spaces or a vicinity served by one or more spaces within theenvironment. For example, discovery mechanism 1706 may determine thatmobile client device 1700 has moved within range of space 1704.Discovery mechanism 1706 may then provide one or more advertisements1710 from space 1704 to the mobile client device 1700. Alternatively,discovery mechanism 1706 may provide a Universal Resource Identifier(URI) for space 1704, or for one or more advertisements in space 1704,to mobile client device 1700. Icons representing the various servicesadvertised by service advertisements 1708 and/or data represented bycontent advertisements 1710 may then be displayed on mobile clientdevice 1700. The user may then select one or more of the advertisedservices and/or data for execution and/or display on the mobile clientdevice. The mobile computing device 1700 may establish a wirelessconnection with the device offering the service and communicate with thedevice to execute the service using the XML-based messaging system aspreviously described herein. Alternatively, the user of the mobilecomputing device 1700 may connect the device at a docking station. Thelocation of the docking station may have been discovered by the userusing the lookup or discovery mechanism 1706, and spaces containingadvertisements for the docking stations to discover the location andavailability of docking stations within a specified range of the user.

Discovery mechanism 1706 may also detect when mobile client device 1700moves into a selected range of space 1714. The various serviceadvertisements 1718 and content advertisements 1720 may then be madeavailable to the user of the mobile client device 1700. When the mobileclient device moves out of the specified range of one of the spaces, theadvertisements offered by that space may be removed from the mobileclient device 1700's display.

In one embodiment, advertisements on a space may include locationinformation for the services or data that they provide. Thus, discoverymechanism 1706 may determine when mobile client device 1700 moves withina specified range of a particular service advertised on space 1718, andmay provide (or remove) the service advertisement based upon thelocation of the mobile client device 1700.

Computing devices are shrinking while at the same time gaining power andfunctionality. Storage devices, CPUs, RAM, I/O ASICS, power supplies,etc. have been reduced in size to where small, mobile client devices mayinclude much of the functionality of a full-sized personal computer.However, some components of a computer system are not easily shrinkablebecause of the human factor and other factors. These components include,but are not limited to: keyboards, monitors, scanners, and printers. Thelimits on reducing the size of some components may prevent mobile clientdevices from truly assuming the role of personal computers.

In one embodiment, docking stations may be provided that allow userswith mobile client devices to connect to and use components that are notavailable on the mobile client device because of human or other factors.For example, docking stations may be provided in public places such asairports or libraries. The docking stations may provide monitors,keyboards, printers or other devices for users with mobile clientdevices. In one embodiment, the docking stations may not fully functionwithout help from a real computing device such as a mobile client deviceconnected by a user. The docking station may provide services such asvarious input/output functions to the client using the computing powerof the mobile client device.

A docking station may provide one or more connection options to a mobileclient device. The connection options may include wireless connectionsand wired connections.

Examples of wireless connections include, but are not limited to:infrared such as IrDA and wireless network connections similar to thoseprovided by a network interface card (NIC) in a notebook computer.Examples of wired connections include, but are not limited to: USB,FireWire, and twisted-pair Ethernet.

A mobile client device may discover the location of docking stationsusing a method substantially similar to that described above for mobileclient devices. The location of one or more docking stations in a localdistributed computing network may be discovered using a discoverymechanism to discover spaces with advertisements for docking stations.The mobile client device may provide a location to the discoverymechanism. In one embodiment, the discovery mechanism or a lookupmechanism may return the location of one or more docking stationsclosest to the location of the mobile client device. Alternatively, thediscovery mechanism or lookup mechanism may return a URI of the spacecontaining the advertisements for the docking stations, and the mobileclient device may then connect with the space to provide the location ofthe one or more docking stations near the device. In one embodiment, themobile client device may supply information to the lookup or discoverymechanism to specify requirements such as monitor resolution, screensize, graphics capabilities, available devices such as printers andscanners, etc. In one embodiment, information about the one or moredocking stations may be supplied to the user on the mobile client deviceincluding availability (is another user using the docking station),components and capabilities of the various docking stations.

When a user approaches a docking station, a claiming protocol may beinitiated. When the claim is accepted by the docking station, secureinput and output connections may be established between the mobileclient device and the docking station. Alternatively, the user mayselect the docking station from one or more docking stations discoveredusing the lookup or discovery mechanism displayed on the mobile clientdevice. When the user selects the docking station, the claiming protocolmay be initiated to give the user secure, exclusive connection to thedocking station for the duration of the claim. A docking station releasemethod may also be provided to allow the user to terminate the sessionon the docking station and release the docking station for use by otherusers. In one embodiment, the claiming protocol may be a lease on thedocking station service as described previously herein.

FIG. 39 a illustrates a user of a mobile device discovering the locationof docking stations according to one embodiment.

FIG. 39 b illustrates a mobile client device 1750 connecting to adocking station 1760, according to one embodiment.

In one embodiment, a user may connect a mobile client device to adocking station without using the discovery mechanism. For example, auser in an airport may visually detect a docking station and connect amobile client device to it. Another example may be a library providing adocking station room with a plurality of docking stations for use, whereusers may access any of the docking stations that are available.

Small Footprint and/or Embedded Devices

Simple embedded or small footprint devices may have limited amounts ofmemory for storing and executing program instructions. A simple embeddeddevice may need to understand a limited set of control inputs forinitiating functionality of the device and outputs for reporting thestatus of the device. An example of a simple embedded device is a“smart” switch (such as a light switch) with embedded circuitry forcontrolling the switch and thus the device controlled by the switch. Thesmart switch may only need to understand two control requests (changethe state of the device, request the state of the device) and to sendone status message (the state of the device). The smart switch maymanage the device to which it is connected by receiving its controlrequests from one or more control systems and reporting status messagesto the one or more control systems.

In one embodiment, the distributed computing environment may provide aframework (protocol) for including small devices that may not have theresource footprint (such as memory) necessary to implement the fullprotocol of the distributed computing environment. In one embodiment, anagent may be provided as a bridge between the small device-capableprotocol and the full protocol. The agent may perform the full protocoldiscovery for the small device, so the device may not be required toimplement the full discovery protocol and service activation. In oneembodiment, the small device may only need to send service-specificmessages. In one embodiment, these messages may be pre-cooked on thesmall device, so the small device may only have to send messages thatare part of the service activation to the agent. The agent may performthe service activation via the full protocol to the service and forwardincoming message from the device to the service, and/or may forwardreplies from the service to the client. Thus, the agent may act as aservice connector for the small client.

In one embodiment of the distributed computing environment, an embeddeddevice may be configured to receive a specific set of control requestsin the form of XML messages and to send a specific set of XML messagesto make requests, report status, etc. In one embodiment, a controlsystem may be configured to manage a variety of devices by sending XMLrequest messages specific to each device or category of device that itcontrols and by receiving XML messages from the devices. In oneembodiment, one or more XML schemas may be used to define an embeddeddevice's specific set of XML messages; the schema may be used by theembedded device and/or the control system in sending and receiving XMLmessages.

An embedded device may include a “thin” implementation of the XMLmessaging system as previously described herein that supports thespecific set of messages for controlling and monitoring the simpleembedded device. The implementation of the XML messaging system may betailored for use with small footprint, simple embedded devices, and thusmay fit in the limited memory of the small footprint devices. In oneembodiment, the XML messaging system may be implemented in a smallfootprint with a virtual machine targeted at small footprint embeddeddevices (e.g. KVM). A networking stack (to support the transportprotocol for communications with one or more control systems) may beassociated with the virtual machine and the XML messaging layer may “siton top” of the networking stack. It is noted that this implementation ofthe messaging system may be used in other devices than small footprintor embedded devices.

In one embodiment, static or pre-generated messages may be used forrequests from control systems to embedded devices. The static messagesmay be precompiled and stored in the embedded devices. An incomingmessage may be compared with the stored static messages to find a matchfor the message and thus to perform the function requested by themessage, thus reducing or eliminating the need for code to parseincoming messages. Outgoing messages may be read directly from thestored static messages, thus reducing or eliminating the need todynamically compile outgoing messages. Thus, static messages may be usedto reduce the code footprint of the messaging layer in embedded systems.For example, static Java objects (Java op codes) may be used for requestand status messages.

FIG. 40 a illustrates an embodiment of embedded devices 1804 a and 1804b controlled by a control system 1800, according to one embodiment.Control system 1800 may be networked with the devices 1804 a and 1804 bit controls in any of a variety of ways. The network 1810 may be wired(Ethernet, coaxial, twisted pair, power grid, etc.) and/or wireless(IRDA, microwave, etc.). In one embodiment, embedded devices 1804 a and1804 b may include a thin implementation of the XML messaging system forcommunicating with control system 1800 over network 1810. Control system1800 may have an implementation of the XML messaging system for sendingrequests to and receiving responses from embedded devices 1804 a and1804 b. In one embodiment, control system 1800 may include software andhardware configured to present an interface to allow a user to displaythe status of and remotely control the embedded devices 1804 a and 1804b. In one embodiment, control system 1800 may include software and/orhardware for automatic control of embedded devices 1804 a and 1804 b.

In one embodiment, embedded devices 1804 a and 1804 b may be part ofanother environment. The devices may not support the message passingmodel implemented by the distributed network environment. For example,the devices may be nodes in a networked automation and control systemsuch as a LonWorks network. Control system 1800 may include a controlsystem hardware and/or software for controlling devices in the otherenvironment. Control system 1800 may serve as a bridge between thedistributed computing environment and the other environment. Thedistributed computing environment may also provide a method or methodsto wrap existing device discovery protocols for discovering the devicesfor access from the distributed network environment. Bridging andwrapping protocols are further described herein in the Bridging section.

Control system 1800 may be connected remotely or locally to one or moreother systems in the distributed computing environment. FIG. 40 a showscontrol system 1800 connected to client 1806 via the Internet 1802.Client 1806 may indirectly request the status of, and send controlrequests to, embedded devices 1804 a and 1804 b through control system1800. Thus, control system 1800 may serve as a proxy or bridge forembedded devices 1804 a and 1804 b. See the Bridging section herein. Toenable sophisticated communication between the client 1806 and thecontrol system 1800, the client and the control system may havedifferent implementations of the XML messaging system than the thinimplementation on the embedded devices 1804 a and 1804 b. In oneembodiment, client 1806 may include software and hardware configured topresent an interface to allow a user of client 1806 to display thestatus of and remotely control the embedded devices 1804 a and 1804 b.In one embodiment, client 1806 must present the correct authorizationcredentials to control system 1800 to enable the client 1806 to accessembedded devices 1804 a and 1804 b. In one embodiment, client 1806 maybe granted access at different levels. For example, client 1806 may onlybe able to view the status of embedded devices 1804 a and 1804 b but notbe allowed to remotely control the devices. In one embodiment, controlsystem 1800 may be a service, may have a service advertisement publishedin the distributed computing environment, and thus may be accessed byclient 1806 using the client-service method as described previously inthis document. In one embodiment, client 1806 may be able to view thestatus of, and to remotely control, control system 1800.

FIG. 40 b illustrates client control system 1808 connected via theInternet 1802 to embedded devices 1804 c and 1804 d, according to oneembodiment. In one embodiment, embedded devices 1804 c and 1804 d mayinclude a thin implementation of the XML messaging system forcommunicating with client control system 1808 over the Internet 1802.Client control system 1808 may have an implementation of the XMLmessaging system for sending requests to and receiving responses fromembedded devices 1804 c and 1804 d. In one embodiment, client controlsystem 1808 may include software and hardware configured to present aninterface to allow a user to display the status of and remotely controlthe embedded devices 1804 c and 1804 d. In one embodiment, clientcontrol system 1800 may include software and/or hardware for automaticcontrol of embedded devices 1804 c and 1804 d.

A difference between FIG. 40 a and FIG. 40 b is that, in the embodimentillustrated in FIG. 40 b, the embedded devices 1804 c and 1804 d may beaccessed by one or more clients in the distributed computing environmentwithout requiring a proxy (e.g. control system). Embedded devices 1804 cand 1804 d may include services for accessing the functionality of thedevices, may have published service advertisements in the distributedcomputing environment, and thus may be accessed via the client-servicemethod as described previously in this document.

The distributed computing environment may include a mechanism for aresource-limited client to retrieve Universal Resource Identifier (URI)addressed resources. For example, a client that is only capable ofsending and receiving messages via an IrDA connection may not be able toestablish a URI connection to retrieve results from a results space. Inone embodiment, a service may be provided as a bridge between the clientand the URI resource. The bridge service may interact with the clientvia XML messages to gather input parameters. The following is includedas an example of an XML input message syntax and is not intended to belimiting in any way:

-   -   <type name=“HttpGet”>        -   <element name=“urlstring” type=“string”/>    -   </type>

Then, outside the distributed computing environment, the bridge servicemay establish a URI connection and retrieve the resource. The resourcemay then be encapsulated as a payload in one or more XML messages andsent to the client by the bridge service.

The following illustration of one possible use of embedded devices withthin implementations of the XML messaging system is included forexemplary purposes and is not intended to be limiting. A building mayinclude a plurality of electronic devices that consume energy (e.g.lights, air conditioners, office equipment), and thus may require asystem for maintaining an optimum energy consumption level. Theplurality of devices may each include an embedded device for controllingthe electronic devices. The embedded devices may include the thinimplementation of the XML messaging system. One or more control systemsmay be coupled to the devices in a network, for example, a building LANor even the Internet. A control system may store and execute a buildingmanagement software package and an implementation of the XML messagingsystem configured to be used by the software package for monitoring andcontrolling the devices. The control system may accept input from users,and may display and otherwise output status information for the buildingenergy consumption system, including status information for each of theplurality of devices. Energy consumption may be monitored by receivingXML status messages from each of the plurality of devices. When energyconsumption levels need to be adjusted, XML control messages may be sentto one or more of the devices to cause the energy consumption to change.

Implementing Services

In one embodiment, the distributed computing environment may provide amechanism for implementing services as servlets. The mechanism mayprovide functionality for developing services for the distributedcomputing environment.

In one embodiment, an Application Programming Interface (API) may beprovided that provides the functionality to allow the service to beinitialized and registered in a space. In one embodiment, the API may beused to invoke the initialization of the service and to generate aninitialization status page, for example, an HTML page, that may definethe status of the service. A user may access the status of the serviceby accessing the status page from a browser. In one embodiment, the APImay be used to process incoming messages and to generate documents inresponse to the messages.

An embodiment of the servlet mechanism may provide several functionsincluding, but not limited to:

-   -   Management of the client connection to the service (unique        session ID)    -   Management of an activation space that may be used to store        results advertisements    -   Management of leases on connections sessions and results in        activation spaces    -   Garbage collection of sessions and results    -   Authentication of clients    -   Generation of client capabilities on a per session basis

CONCLUSION

Various embodiments may further include receiving or storinginstructions and/or data implemented in accordance with the foregoingdescription upon a carrier medium. Suitable carrier media may includestorage media or memory media such as magnetic or optical media, e.g.,disk or CD-ROM, as well as transmission media or signals such aselectrical, electromagnetic, or digital signals, conveyed via acommunication medium such as network and/or a wireless link.

Various modifications and changes may be made as would be obvious to aperson skilled in the art having the benefit of this disclosure. It isintended that the invention embraces all such modifications and changesand, accordingly, the specifications, appendices and drawings are to beregarded in an illustrative rather than a restrictive sense.

1. A method comprising: accessing a first space, wherein the first spacecomprises a first network-addressable storage location, whereininformation usable to access the first space is provided in anadvertisement for the first space, wherein the advertisement for thefirst space comprises a first schema, and wherein the first schemaspecifies one or more messages usable to invoke functions of the firstspace; a requesting client requesting creation of a second space bysending to the first space one of the messages specified by the firstschema; creating the second space in response to the requesting clientrequesting creation of the second space, wherein the second space isinitially configured to permit access only to the requesting client,wherein the second space comprises a second network-addressable storagelocation, wherein information usable to access the second space isprovided in an advertisement for the second space, wherein theadvertisement for the second space comprises a second schema, andwherein the second schema specifies one or more messages usable toinvoke functions of the second space; and the requesting clientaccessing the second space by sending to the second space one of themessages specified by the second schema.
 2. The method of claim 1,further comprising: creating a root authentication token for the secondspace; initializing an authentication service associated with the secondspace, whereby the second space is configured to permit access only to aclient holding the root authentication token; and sending the rootauthentication token to the requesting client.
 3. The method of claim 2,further comprising: the requesting client sending the rootauthentication token to a second client; and the second client accessingthe second space by sending to the second space one of the messagesspecified by the second schema.
 4. The method of claim 1, furthercomprising: the requesting client modifying a security policy of thesecond space, whereby the second space is configured to permit access toa second client.
 5. The method of claim 4, further comprising: thesecond client reading a service advertisement from the second space,wherein the service advertisement comprises information usable toexecute a corresponding service.
 6. The method of claim 1, wherein theaccessing the first space comprises sending information to the firstspace at a first Uniform Resource Identifier (URI); and wherein therequesting client accessing the second space comprises the requestingclient sending information to the second space at a second URI.
 7. Themethod of claim 1, wherein the first schema is expressed in a datarepresentation language; and wherein the second schema is expressed inthe data representation language.
 8. The method of claim 7, wherein thedata representation language comprises eXtensible Markup Language (XML).9. The method of claim 1, further comprising: reading a serviceadvertisement stored in the first space, wherein the serviceadvertisement comprises information which is usable to access andexecute a second service; using the information in the serviceadvertisement to execute the second service; generating a set of resultsof the second service in response to the executing the second service;and publishing the set of results of the second service in the secondspace; wherein the requesting creation of the second space comprisesrequesting creation of the second space for storage of the set ofresults of the service.
 10. The method of claim 1, wherein the accessingthe first space comprises accessing the first space at a first addressto a storage facility; wherein the creating the second space comprisescreating a second address to the storage facility; and wherein theaccessing the second space comprises accessing the second space at thesecond address to the storage facility.
 11. The method of claim 1,wherein the functions of the first space comprise storing information inthe first space and reading information from the first space; andwherein the functions of the second space comprise storing informationin the second space and reading information from the second space.
 12. Asystem comprising: a first client; a first space which iscommunicatively coupled to the client, wherein the first space comprisesa first network-addressable storage location, wherein information usableto access the first space is provided in an advertisement for the firstspace, wherein the advertisement for the first space comprises a firstschema, and wherein the first schema specifies one or more messagesusable to invoke functions of the first space; wherein the first clientis operable to: access the first space; request creation of a secondspace by sending to the first space one of the messages specified by thefirst schema, wherein the second space is initially configured to permitaccess only to the first client, wherein the second space comprises asecond network-addressable storage location, wherein information usableto access the second space is provided in an advertisement for thesecond space, wherein the advertisement for the second space comprises asecond schema, and wherein the second schema specifies one or moremessages usable to invoke functions of the second space; and access thesecond space by sending to the second space one of the messagesspecified by the second schema.
 13. The system of claim 12, wherein thesecond space is configured to permit access only to a client holding aroot authentication token; and wherein the second space is operable tosend the root authentication token to the first client.
 14. The systemof claim 13, further comprising: a second client which iscommunicatively coupled to the first client and the second space;wherein the first client is operable to send the root authenticationtoken to the second client; and wherein the second client is operable toaccess the second space by sending to the second space one of themessages specified by the second schema.
 15. The system of claim 12,further comprising: a second client which is communicatively coupled tothe first client and the second space; wherein the first client isoperable to modify a security policy of the second space, whereby thesecond space is configured to permit access to the second client. 16.The system of claim 15, wherein the second client is operable to read aservice advertisement from the second space, wherein the serviceadvertisement comprises information usable to execute a correspondingservice.
 17. The system of claim 12, wherein in accessing the firstspace, the first client is operable to send information to the firstspace at a first URI; and wherein in accessing the second space, thefirst client is operable to send information to the second space at asecond URI.
 18. The system of claim 12, wherein the first schema isexpressed in a data representation language; and wherein the secondschema is expressed in the data representation language.
 19. The systemof claim 18, wherein the data representation language compriseseXtensible Markup Language (XML).
 20. The system of claim 12, furthercomprising: a service which is communicatively coupled to the firstclient and to the first space; wherein the first client is operable toread a service advertisement stored in the first space, wherein theservice advertisement comprises information which is usable to accessand execute the service; wherein the service is operable to: generate aset of results of executing the service; create the second space; andpublish the set of results in the second space.
 21. The system of claim12, wherein in accessing the first space, the first client is operableto access the first space at a first address to a storage facility;wherein in requesting creation of the second space, the first client isoperable to request creation of a second address to the storagefacility; and wherein in accessing the second space, the first client isoperable to access the second space at the second address to the storagefacility.
 22. The system of claim 12, wherein the functions of the firstspace comprise storing information in the first space and readinginformation from the first space; and wherein the functions of thesecond space comprise storing information in the second space andreading information from the second space.
 23. A carrier mediumcomprising program instructions which are computer-executable toimplement: accessing a first space, wherein the first space comprises afirst network-addressable storage location, wherein information usableto access the first space is provided in an advertisement for the firstspace, wherein the advertisement for the first space comprises a firstschema, and wherein the first schema specifies one or more messagesusable to invoke functions of the first space; a requesting clientrequesting creation of a second space by sending to the first space oneof the messages specified by the first schema; creating the second spacein response to the requesting client requesting creation of the secondspace, wherein the second space is initially configured to permit accessonly to the requesting client, wherein the second space comprises asecond network-addressable storage location, wherein information usableto access the second space is provided in an advertisement for thesecond space, wherein the advertisement for the second space comprises asecond schema, and wherein the second schema specifies one or moremessages usable to invoke functions of the second space; and therequesting client accessing the second space by sending to the secondspace one of the messages specified by the second schema.
 24. Thecarrier medium of claim 23, wherein the program instructions are furthercomputer-executable to implement: creating a root authentication tokenfor the second space; initializing an authentication service associatedwith the second space, whereby the second space is configured to permitaccess only to a client holding the root authentication token; andsending the root authentication token to the requesting client.
 25. Thecarrier medium of claim 24, wherein the program instructions are furthercomputer-executable to implement: the requesting client sending the rootauthentication token to a second client; and the second client accessingthe second space by sending to the second space one of the messagesspecified by the second schema.
 26. The carrier medium of claim 23,wherein the program instructions are further computer-executable toimplement: the requesting client modifying a security policy of thesecond space, whereby the second space is configured to permit access toa second client.
 27. The carrier medium of claim 26, wherein the programinstructions are further computer-executable to implement: the secondclient reading a service advertisement from the second space, whereinthe service advertisement comprises information usable to execute acorresponding service.
 28. The carrier medium of claim 23, wherein inthe accessing the first space, the program instructions are furthercomputer-executable to implement sending information to the first spaceat a first URI; and wherein in the requesting client accessing thesecond space, the program instructions are further computer-executableto implement the requesting client sending information to the secondspace at a second URI.
 29. The carrier medium of claim 23, wherein thefirst schema is expressed in a data representation language; and whereinthe second schema is expressed in the data representation language. 30.The carrier medium of claim 29, wherein the data representation languagecomprises eXtensible Markup Language (XML).
 31. The carrier medium ofclaim 23, wherein the program instructions are furthercomputer-executable to implement: reading a service advertisement storedin the first space, wherein the service advertisement comprisesinformation which is usable to access and execute a second service;using the information in the service advertisement to execute the secondservice; generating a set of results of the second service in responseto the executing the second service; and publishing the set of resultsof the second service in the second space; wherein in the requestingcreation of the second space, the program instructions are furthercomputer-executable to implement requesting creation of the second spacefor storage of the set of results of the second service.
 32. The carriermedium of claim 23, wherein in the accessing the first space, theprogram instructions are further computer-executable to implementaccessing the first space at a first address to a storage facility;wherein in the creating the second space, the program instructions arefurther computer-executable to implement creating a second address tothe storage facility; and wherein in the accessing the second space, theprogram instructions are further computer-executable to implementaccessing the second space at the second address to the storagefacility.
 33. The carrier medium of claim 23, wherein the functions ofthe first space comprise storing information in the first space andreading information from the first space; and wherein the functions ofthe second space comprise storing information in the second space andreading information from the second space.